CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the __sort_type URL parameter on all /admin/info/{table} endpoints.
CWE-117 vulnerability in Kibana allows injection of unsanitized data into logs. An attacker can supply specially crafted input that is written to log files without proper neutralization. When logs are viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.
CVE-2026-49090 in Elasticsearch allows a denial of service (DoS) via uncontrolled resource consumption. An authenticated user can submit a specially crafted bulk request causing sustained high CPU usage, rendering the affected node unable to process requests.
In containerd prior to versions 1.7.32, 2.0.9, 2.2.4, and 2.3.1, containers with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This allows bypassing the Kubernetes runAsNonRoot restriction if a crafted image maps this large numeric string to root in /etc/passwd, causing the container to run as root (UID 0).
JAIOTlink C492A-W6 Wi-Fi IP cameras with firmware 4.8.30.57701411 contain a remote code execution vulnerability. An authenticated attacker can write a malicious script to persistent JFFS2 storage and trigger execution via an HTTP endpoint, achieving persistent control over the device.
JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain hard-coded credentials that allow network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.
JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain an OS command injection vulnerability. An authenticated attacker can achieve remote code execution by supplying a malicious Wireless parameter to the HTTP PUT NetSDK/Factory SetMAC endpoint.
The ApplyOnline WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects versions from n/a through 2.6.7.6.
The ThumbPress WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects all versions from n/a through 6.3.2.
Ray prior to version 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader. An attacker can achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers.
CVE-2026-56152 in Elastic Defend is caused by incorrect authorization (CWE-863). It allows a low-privileged authenticated user to access response action data they are not authorized to view, leading to unauthorized information disclosure.
CVE-2026-56151 in Kibana is an improper input validation vulnerability (CWE-20) that allows an authenticated user to submit a specially crafted Fleet policy input, causing a denial of service (DoS) via input data manipulation (CAPEC-153). This attack renders Fleet agent, server, and policy management functionality unavailable.
A CWE-770 vulnerability in Fleet Server allows an attacker to send a specially crafted request to an upload endpoint, causing excessive memory consumption and potentially leading to a denial of service (DoS).
CWE-770 vulnerability in Elasticsearch allows a denial of service via excessive memory allocation. A privileged user can submit a crafted machine learning request, causing resource exhaustion and node unavailability.
CVE-2026-56148 in Elasticsearch involves uncontrolled recursion leading to denial of service. An authenticated user can submit a specially crafted query causing excessive resource consumption during processing, potentially rendering the affected node unavailable.
Uncontrolled resource consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers or excessive header length.
CVE-2026-49088 in Kibana allows insertion of sensitive information into log files. When optional APM instrumentation is enabled, sensitive request header values may be recorded in application logs.
CWE-770 vulnerability in Kibana allows a denial of service via excessive resource allocation. An authenticated attacker can send a crafted bulk deletion request, exhausting resources and making Kibana unavailable.
The vulnerability in the Guardian language-system passes the 'id' GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization. No authentication is required, allowing an unauthenticated remote attacker to append shell metacharacters and execute arbitrary OS commands on the server.
The vulnerability in the Guardian language system passes the 'id' GET parameter directly into a PHP exec() call in transcribe.php without sanitization. An unauthenticated attacker can append shell metacharacters to execute arbitrary OS commands on the server.

