CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-46611
Medium

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser.

CVE-2026-28898
Medium

The HTTP/2-to-HTTP/1.1 codec in swift-nio-http2 did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. Version 1.44.1 adds validation of all pseudo-headers (:path, :authority, :scheme, :method, :status) at both the HPACK header validation layer and the HTTP/2-to-HTTP/1.1 translation layer, rejecting requests or responses containing CR, LF, or NUL bytes.

CVE-2026-6291
Medium

Bleichenbacher padding oracle vulnerability in PKCS#7 KTRI decryption in wolfSSL. When decrypting PKCS#7 EnvelopedData using RSA PKCS#1 v1.5 key transport, the library returned distinguishable error codes depending on whether RSA padding validation failed or the decrypted content was malformed. This allowed an attacker to incrementally recover the Content Encryption Key (CEK) by observing error responses.

CVE-2026-6091
Medium

A vulnerability in the wolfSSL library allows accepting a certificate chain that terminates at an untrusted intermediate certificate instead of a trusted anchor. The issue occurs in partial-chain verification mode (X509_V_FLAG_PARTIAL_CHAIN) and affects the OpenSSL-compatible certificate path building path.

CVE-2026-55699
Medium

In pnpm prior to versions 10.34.2 and 11.5.3, a vulnerability was discovered where manifest bin object keys such as "", ".", and ".." passed pnpm's bin-name guard. When a malicious package was installed globally, later global remove, update, or add-replacement flows could re-derive those names from the installed manifest and pass path.join(globalBinDir, binName) to removeBin. For "." this targets the global bin directory; for ".." this targets its parent.

CVE-2026-55180
Medium

A vulnerability in pnpm package manager prior to versions 10.34.2 and 11.5.3 expands ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml files into registry request destinations and credentials. A malicious repository can send victim environment secrets to an attacker-selected registry before lifecycle scripts run.

CVE-2026-54679
Medium

In jq prior to version 1.8.2, on 32-bit systems, the jvp_string_append function may experience integer overflow, leading to a massive buffer overrun.

CVE-2026-50573
Medium

In pnpm before versions 10.34.0 and 11.4.0, `pnpm install` in non-frozen mode can accept new remote package content after detecting an integrity mismatch with pnpm-lock.yaml. Even though the package is locked with an integrity value and the registry returns different data, pnpm performs a resolution repair, updates the lockfile, and installs the new content, exiting successfully.

CVE-2026-50021
Medium

In pnpm before versions 10.34.0 and 11.4.0, the tarball extraction worker skips integrity verification when the integrity field is missing from pnpm-lock.yaml. An attacker can remove this field and serve altered package content, allowing installation of modified packages without integrity errors.

CVE-2026-50017
Medium

pnpm before versions 10.34.0 and 11.4.0 can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped _authToken, while the repository only sets registry= to a different registry URL. During normal pnpm workflows, the user's credentials are bound to the repository-selected registry and sent as an Authorization header.

CVE-2026-50014
Medium

A vulnerability in pnpm package manager before versions 10.34.0 and 11.4.0 allows an attacker to inject Git options into the git fetch command via a malicious lockfile. Lack of validation of the commit value in the lockfile enables substitution of the --upload-pack option, which for SSH and local transports can lead to arbitrary command execution.

CVE-2026-47770
Medium

The vulnerability in jq (versions prior to 1.8.2) allows a DoS attack via C stack exhaustion when comparing deeply nested arrays with the == operator. The issue stems from missing recursion guards in jvp_array_equal() and jv_equal() functions in src/jv.c.

CVE-2026-9799
Medium

A flaw was found in the Keycloak authorization component. An authenticated user with a UMA permission ticket for one resource can bypass per-resource access control for all resources of the same type on the resource server by using a specific permission request prefix. This vulnerability requires PERMISSIVE policy enforcement mode and ownerManagedAccess enabled for typed resources without explicit policies.

CVE-2026-9705
Medium

A flaw in Keycloak's client registration service allows a remote attacker with a previously issued Registration Access Token (RAT) to re-enable a client disabled by an administrator. The attacker can reset the client secret and potentially regain privileged API access.

CVE-2026-9083
Medium

A flaw was found in Keycloak where a realm administrator with the 'manage-realm' role can submit an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows probing of arbitrary filesystem paths to determine which files exist and are readable by the Keycloak process.

CVE-2026-55439
Medium

Halo is an open source website building tool. Prior to version 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem.

CVE-2026-55411
Medium

In ToolJet prior to version 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plaintext for any credential whose credential_id is supplied in the request body. Unlike other data endpoints, this handler is not protected by ValidateDataSourceGuard, does not receive the calling @User(), and the underlying CredentialsService.getValue() looks up the credential by id only, with no organization scoping.

CVE-2026-54573
Medium

Outline before version 1.8.0 contains a vulnerability where the AuthenticationHelper.canAccess function uses ctx.originalUrl without stripping the URL fragment (#), allowing an attacker to bypass API key scope restrictions and escalate privileges by appending a permitted path in the fragment.

CVE-2026-54448
Medium

Trivy before version 0.71.0, when scanning Helm chart archives (.tgz), uses a custom tar unpacker that reads each entry with io.ReadAll(tr) without size limit. An attacker can place a malicious .tgz file in the scanned path that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.

CVE-2026-54040
Medium

A vulnerability in LibreChat prior to 0.8.4-rc1 allows an attacker with a stolen session token to regenerate all 2FA backup codes without requiring any TOTP token or existing backup code. This enables bypassing 2FA login or disabling 2FA entirely.

PreviousPage 59 of 540Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS