CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-53152
Medium

In the Linux kernel MMC driver for old Rockchip controllers (rk2928, rk3066, rk3188), missing private data structure caused NULL-pointer dereference after adding memory clock auto-gating support. This affects Linux kernel.

CVE-2026-53150
Medium

In the Linux kernel, the Thunderbolt driver's validator accepts property entries with zero length, causing a buffer underflow when null-terminating the text. This can lead to out-of-bounds memory write.

CVE-2026-53140
Medium

A vulnerability in the Linux kernel's DRM V3D driver causes a virtual address (vaddr) mapping leak when processing indirect CSD buffers. If the workgroup count read from the buffer is zero, the v3d_rewrite_csd_job_wg_counts_from_indirect() function exits early without releasing the mappings of both buffers.

CVE-2026-53139
Medium

In the Linux kernel, a vulnerability was found in the DRM V3D driver due to missing validation of zero workgroup counts in indirect CSD jobs. Submitting a dispatch with a zero count in any dimension is invalid and may cause unexpected hardware behavior.

CVE-2026-46751
Medium

A vulnerability in Apache Kvrocks affects versions from 2.2.0 through 2.15.0, and users are recommended to upgrade to version 2.16.0 to fix the issue.

CVE-2026-56129
Medium

The generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user without administrative privileges may access physical memory.

CVE-2026-10824
Medium

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records.

CVE-2026-8330
Medium

A vulnerability in GitLab CE/EE allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint. It affects all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-5952
Medium

A vulnerability in GitLab CE/EE due to incorrect authorization checks allows an authenticated user with developer role to bypass package protection rules and overwrite protected Maven package metadata under certain conditions.

CVE-2026-5796
Medium

A vulnerability in GitLab CE/EE allows an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

CVE-2026-5309
Medium

An issue in GitLab EE allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization under certain conditions. Affected versions: 18.6 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.

CVE-2026-2238
Medium

A vulnerability in GitLab CE/EE allowed an unauthenticated user to view confidential issue references in public projects under certain conditions due to improper authorization checks. Affected versions: 17.5 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.

CVE-2026-1606
Medium

A vulnerability in GitLab CE/EE allows an authenticated user to conceal content within a Snippet due to improper input validation. The issue affects versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-11379
Medium

An incorrect authorization issue in DAST site profile management in GitLab EE could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.

CVE-2026-2508
Medium

The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the 'staff_id' parameter in all versions up to and including 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-12079
Medium

The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-10833
Medium

The Gutenberg Essential Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'configurablePrefix' Block Attribute. This issue affects all versions up to and including 6.1.4 due to insufficient input sanitization and output escaping.

CVE-2026-8658
Medium

The Tcpdump plugin for Rapid7 InsightConnect on Linux is vulnerable to OS command injection. An authenticated attacker can execute arbitrary commands via the options or filter parameters due to insufficient input sanitization.

CVE-2026-8664
Medium

The Finger plugin for Rapid7 InsightConnect on Linux contains an OS Command Injection vulnerability. An authenticated attacker can execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction.

CVE-2026-9153
Medium

Arbitrary File Read vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to read arbitrary files via the expression parameter due to insufficient input validation.

PreviousPage 56 of 530Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS