CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-23351
Critical

A vulnerability in the command interface of NVIDIA ConnectX and BlueField allows a local user with virtual function (VF) access to cause an out-of-bounds write via crafted input. Successful exploitation may lead to arbitrary code execution on the device.

CVE-2025-23350
Critical

A vulnerability in the command interface of NVIDIA ConnectX and BlueField allows a local user with virtual function (VF) access to cause a write out of bounds via crafted input. Successful exploitation may lead to arbitrary code execution on the device.

CVE-2025-15646
Critical

A vulnerability in HTML::Gumbo for Perl before version 0.19 discloses heap memory via type confusion. The walk_tree function does not support the <template> element, treating it as a text node, causing strlen() to over-read the heap block.

CVE-2026-6688
High

A vulnerability in FatFs R0.16 and earlier affects long filename (LFN) handling. The function copies filenames (up to 255 characters) into short fixed buffers without bounds checking, causing buffer overflow.

CVE-2026-6687
High

FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums.

CVE-2026-6686
Medium

FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This can lead to data disclosure.

CVE-2026-6685
Medium

A vulnerability in FatFs R0.16 and earlier allows bypassing dirty-cache consistency checks via unsigned-subtraction wrap in f_read() and f_write() during interleaved read/write operations on fragmented filesystems.

CVE-2026-6684
Medium

A vulnerability in FatFs prior to R0.16, using GPT scanning with 'FF_LBA64 = 1', causes an infinite loop during filesystem mounting. The issue stems from an unbounded loop count derived from the GPTH_PtNum field in the GPT header, leading to extremely long or infinite mount times.

CVE-2026-6683
Medium

FatFs R0.16 and earlier contains a divide-by-zero bug in exFAT sync logic. Crafted metadata can cause n_fatent - 2 to be zero during write/sync operations, leading to a system crash.

CVE-2026-6682
High

In FatFS R0.16 and earlier, there is an integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers.

CVE-2026-6283
Medium

A stored cross-site scripting (XSS) vulnerability has been found in DivvyDrive by DivvyDrive Information Technologies Inc. The flaw is caused by improper input neutralization during web page generation, allowing injection of malicious scripts.

CVE-2026-5220
Medium

A stored cross-site scripting (XSS) vulnerability has been found in DivvyDrive by DivvyDrive Information Technologies Inc., due to improper input neutralization during web page generation. The issue affects versions from 4.8.2.23 up to 4.8.3.0.

CVE-2026-5142
Medium

A flaw was found in Foreman where authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments.

CVE-2026-5138
Medium

A cross-tenant information disclosure vulnerability was found in Foreman. An authenticated user with host-edit permissions can bypass authorization checks and leak sensitive infrastructure metadata from unauthorized organizations and locations.

CVE-2026-5135
Medium

A flaw was found in Foreman where a broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorization checks.

CVE-2026-58399
High

A vulnerability in the @acastellon/auth authentication system for microservices allows an unauthenticated attacker to bypass token validation via crafted auth-user and Host HTTP headers. The issue affects validateToken() in versions prior to 2.3.0.

CVE-2026-58035
Unknown

Cross-site scripting (XSS) vulnerability in MediaWiki due to improper input neutralization during page generation. The issue is located in resource files related to user blocking.

CVE-2026-58034
Unknown

A Cross-Site Scripting (XSS) vulnerability in the Wikimedia Foundation CheckUser extension due to improper input neutralization during page generation. The issue is located in Vue module files related to temporary accounts.

CVE-2026-58031
Unknown

An XSS vulnerability in MediaWiki exists in the ApiSandboxLayout.Js file, allowing an attacker to inject malicious script into a page. The issue affects versions from 1.46.0-rc.0 before 1.46.0.

CVE-2026-2891
High

A vulnerability in Poly Voice IP devices (CCX, Trio, Edge E) may render them inoperable when connecting to a malicious SIP server and receiving malformed data. HP is releasing updates to mitigate this risk.

PreviousPage 55 of 4519Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS