CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-45758
Critical

On May 11, 2026, a malicious version of the `guardrails-ai` package (0.10.1) was published on PyPI, potentially affecting users who installed it. Security researchers identified the malicious package within approximately 2 hours, and PyPI took action to quarantine it.

CVE-2026-11420
Critical

Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server.

CVE-2026-11414
Critical

Altium Enterprise Server has a vulnerability related to the use of a hard-coded cryptographic key for signing file download URLs. This key is identical across all installations, allowing unauthenticated attackers to forge signatures and retrieve files from the Vault storage area without authentication.

CVE-2026-46496
Critical

HAX CMS, który zarządza mikrositami z backendami PHP lub NodeJs, ma podatność na przechowywane ataki XSS w wersjach przed 26.0.0. Problem wynika z niewłaściwego oczyszczania komponentu `<video-player>`, który pozwala na użycie URI `javascript:` w atrybucie `source`.

CVE-2026-46399
Critical

HAX CMS versions prior to 26.0.0 have an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands, leading to code execution on the HAX CMS server.

CVE-2026-46396
Critical

HAX CMS, which manages microsites with PHP or NodeJs backends, has a stored XSS vulnerability in versions prior to 26.0.0. The issue arises from improper sanitization of `<iframe>` elements, allowing execution of malicious JavaScript.

CVE-2026-46395
Critical

HAX CMS, który zarządza mikrositami z backendem PHP lub Node.js, przed wersją 26.0.0 zawierał krytyczne błędy w implementacji kryptograficznej w funkcji `hmacBase64()`. Te błędy pozwalały nieautoryzowanym atakującym na wydobycie prywatnego klucza podpisywania systemu oraz fałszowanie tokenów JWT, co umożliwiało pełny dostęp administracyjny za pomocą jednego żądania HTTP.

CVE-2026-46389
Critical

In versions 0.11.0 through 0.26.0, there is a logic error in the `client-kubernetes-secret` Keycloak client authenticator that allows an attacker to overwrite the `client_secret` with the mounted Kubernetes secret. This enables authentication as that client with any `client_secret` value and obtaining OAuth2 tokens.

CVE-2026-10580
Critical

Wtyczka Hippoo Mobile App dla WooCommerce w WordPressie jest podatna na obejście uwierzytelnienia, co prowadzi do przejęcia konta administratora we wszystkich wersjach do i włącznie z 1.9.4. Problem wynika z błędu logicznego w funkcji HippooPermissions::get_user_permissions(), która zwraca ten sam null dla administratorów i niezautoryzowanych użytkowników.

CVE-2026-45750
Critical

Termix is a server management platform that prior to version 2.3.2 had a vulnerability in the File Manager component where the path parameter was unsafely processed. This allowed malicious users to execute shell commands over an active SSH session.

CVE-2026-45748
Critical

Termix is a web-based server management platform that prior to version 2.3.2 had a vulnerability in the `POST /ssh/tunnel/connect` endpoint. This vulnerability allowed OS command injection through user-controlled fields being interpolated directly into a shell command.

CVE-2026-45746
Critical

Termix is a server management platform that prior to version 2.3.2 contained a critical Broken Access Control vulnerability in the File Manager functionality. The issue stemmed from improper validation of the sessionId parameter, allowing an attacker to access other users' File Manager sessions.

CVE-2026-45744
Critical

Termix is a web-based server management platform that was vulnerable to OS command injection in the GET /ssh/file_manager/ssh/resolvePath endpoint prior to version 2.3.2. This allows authenticated users to execute arbitrary commands on the connected remote host.

CVE-2026-36500
Critical

An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.

CVE-2025-71318
Critical

NetMan 204 nie wymusza uwierzytelniania na swoich stronach administracyjnych i punktach końcowych komend. Zdalny, nieautoryzowany atakujący może bezpośrednio żądać stron administracyjnych, co prowadzi do ujawnienia wrażliwych informacji oraz możliwości wywołania uprzywilejowanych komend kontrolnych UPS.

CVE-2025-71317
Critical

NetMan 204 zawiera twardo zakodowane konto backdoor z nazwą użytkownika i hasłem 'eurek', które przyznaje dostęp administracyjny. Zdalny, nieautoryzowany atakujący może uwierzytelnić się przez punkt końcowy cgi-bin/login.cgi, co pozwala na uzyskanie uprawnień administratora.

CVE-2026-9270
Critical

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections due to improper input sanitization. The send_stats method does not remove newlines from metric names, allowing attackers to change the metric name prefix.

CVE-2026-11362
Critical

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. The format_event method does not validate the content of the tags, allowing data injection from untrusted sources.

CVE-2026-10879
Critical

DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders but only allocates three characters per binder in the buffer.

CVE-2026-6274
Critical

The Redline WR3200 system has a vulnerability related to improper authentication that allows access to functionality not properly constrained by access control lists (ACLs). This issue affects versions from 7.1.3 before 7.1.8.

PreviousPage 49 of 557Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS