CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-60468
Medium

In GPAC/MP4Box version 2.5-DEV-rev1593-gfe88c3545-master, a buffer overflow vulnerability was found. The function gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c improperly accesses freed objects during PID instance cleanup after a swap/delete operation, leading to a heap use-after-free.

CVE-2026-52816
Medium

Gogs is an open source Git service that prior to version 0.14.3 had a vulnerability in the Jupyter Notebook (ipynb) sanitizer endpoint at POST /-/api/sanitize_ipynb. This vulnerability allowed arbitrary data URIs to be submitted without proper restrictions, potentially leading to Cross-Site Scripting (XSS) attacks.

CVE-2026-52815
MediumEPSS 72%

Gogs, an open source Git service, prior to version 0.14.3 has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication.

CVE-2026-52814
Medium

Gogs is an open source Git service that prior to version 0.14.3 was vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack via its built-in SSH server. An attacker could open multiple TCP connections to the SSH port, leading to file descriptor exhaustion and destabilization of the entire Gogs process.

CVE-2026-52809
Medium

In Gogs before version 0.14.3, password-reset tokens are generated using the account-activation lifetime (conf.Auth.ActivateCodeLives) instead of the reset-password lifetime (conf.Auth.ResetPasswordCodeLives). The token lifetime is embedded in the token at generation time and re-extracted at verification, making RESET_PASSWORD_CODE_LIVES irrelevant. Even if an administrator configures a shorter reset window (e.g., 10 minutes), tokens remain valid for the full activation lifetime, while the reset email falsely advertises the shorter expiry.

CVE-2026-52807
Medium

Gogs is an open source Git service that prior to version 0.14.3 had an issue with rendering milestone names. The default auto-escaping in Go allowed for HTML/JavaScript injection through interaction with the dropdown in Semantic UI.

CVE-2026-52804
Medium

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3.

CVE-2026-52802
Medium

Gogs is an open source Git service that prior to version 0.14.3 had an open redirect vulnerability. Attacker-controlled redirect_to parameters could bypass validation, allowing redirection to arbitrary external sites.

CVE-2026-52795
Medium

Gogs is an open-source Git service that in version 0.14.3 and earlier allows authenticated users to watch private repositories they do not have access to. The issue arises from an incorrectly implemented access check in the Watch API, enabling attackers to access information from private repositories.

CVE-2026-50128
Medium

Mastodon, a social network server based on ActivityPub, has a vulnerability in versions from 4.3.0 to 4.5.11 and 4.4.18 that allows modification of the attributionDomains value in signed activities. An error in the definition of this term makes Linked Data signatures ineffective.

CVE-2026-49278
Medium

In the visitors.info endpoint of Rocket.Chat, a token is returned in the API response. There is no legitimate use case for the token to be present in the response, and its exposure poses a security risk. The vulnerability is fixed in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.

CVE-2026-47733
Medium

In versions prior to 8.5.0, the ImageElement component in Rocket.Chat renders user-controlled src values without protocol sanitization. This allows for the insertion of a malicious URL with the javascript: protocol, potentially executing arbitrary JavaScript in the user's session.

CVE-2026-32315
MediumEPSS 85%

motionEye (mEye) is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions, making it readable by any local user on the system, leading to the exposure of sensitive data including the admin password.

CVE-2026-31978
Medium

motionEye (mEye) is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, allowing an authenticated user to read arbitrary files from the filesystem.

CVE-2026-13208
Medium

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers.

CVE-2025-64719
Medium

In Gogs before version 0.14.3, a malicious user with rights to create a new file on a repository or wiki page can trigger a denial of service condition. Pages containing the listing of files will return HTTP error 500 and render the web interface unusable for the repository or wiki.

CVE-2026-48028
Medium

Prior to versions 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures did not adequately protect against a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from third-party actors.

CVE-2026-46349
Medium

Mastodon, a social network server based on ActivityPub, prior to versions 4.5.10, 4.4.17, and 4.3.23, improperly normalized incoming activities signed with Linked-Data Signatures, allowing attackers to manipulate valid signed JSON-LD activities from third-party actors.

CVE-2026-53949
Medium

In the Ghost content management system, from version 5.46.1 to 6.21.2, the validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields via a brute force attack. If SQLite was used, password hashes were fully accessible, while in the case of MySQL, the case of the password hashes was lost, potentially rendering further brute force attacks ineffective.

CVE-2026-53948
Medium

Ghost is a Node.js content management system. From versions 6.19.4 to 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served with an attacker-chosen content type from S3/GCS storage backends.

PreviousPage 62 of 535Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS