CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the visitors.info endpoint of Rocket.Chat, a token is returned in the API response. There is no legitimate use case for the token to be present in the response, and its exposure poses a security risk. The vulnerability is fixed in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
In versions prior to 8.5.0, the ImageElement component in Rocket.Chat renders user-controlled src values without protocol sanitization. This allows for the insertion of a malicious URL with the javascript: protocol, potentially executing arbitrary JavaScript in the user's session.
motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions, making it readable by any local user on the system, leading to the exposure of sensitive data including the admin password.
motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, allowing an authenticated user to read arbitrary files from the filesystem.
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers.
In Gogs before version 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition. Pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki.
Prior to versions 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures did not adequately protect against a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from third-party actors.
Mastodon, a social network server based on ActivityPub, prior to versions 4.5.10, 4.4.17, and 4.3.23, improperly normalized incoming activities signed with Linked-Data Signatures, allowing attackers to manipulate valid signed JSON-LD activities from third-party actors.
In the Ghost content management system, from version 5.46.1 to 6.21.2, the validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields via a brute force attack. If SQLite was used, password hashes were fully accessible, while in the case of MySQL, the case of the password hashes was lost, potentially rendering further brute force attacks ineffective.
Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served with an attacker-chosen content type from S3/GCS storage backends.
A vulnerability in the Ghost content management system (versions 5.18.0 through 6.21.1) allows an unauthenticated attacker to determine whether a given email address belongs to a registered member. The issue stems from discrepancies in responses from the members signin endpoints.
Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, when re-rendering posts, Ghost could send HTTP requests to unauthorized image hosts, posing a security risk.
Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks.
Ghost is a Node.js content management system. From versions 6.0.9 to 6.21.1, it is possible to bypass the IP filter when making an external request, allowing it to target an internal service using an IPv6 literal that maps to a private IPv4 address.
Jellyfin, an open-source media server, prior to version 10.11.9, had a potential XSS vulnerability that allowed a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user. The attack could occur through the Client header during AuthenticateByName.
Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
Uninitialized use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
An inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

