CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-48902
Critical

Funkcje resetowania hasła i nazwy użytkownika generowały zwykłe linki http dla połączeń https, jeśli flaga 'Force SSL' nie była wyraźnie ustawiona. Może to prowadzić do nieautoryzowanego dostępu do kont użytkowników.

CVE-2026-48899
Critical

An improper access check allows privilege escalation through the com_users batch task.

CVE-2026-48898
Critical

An improper access check allows privilege escalation through the com_users batch task.

CVE-2026-48691
Critical

FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. The get_attributes() function computes attribute_length, leading to silent truncation when the AS_PATH contains more than 63 ASNs, resulting in a heap buffer overflow.

CVE-2026-45721
Critical

Algernon is a small self-contained pure-Go web server. Prior to version 1.17.7, when the server receives a URL request that resolves to a directory without an index file, it searches upward through parent directories for a handler.lua file, potentially leading to remote code execution.

CVE-2026-40383
Critical

Improper validation of user-supplied input leads to a local file inclusion vulnerability.

CVE-2026-35223
Critical

Improper access check allows unauthorized access to com_config webservice endpoints.

CVE-2026-35222
Critical

Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.

CVE-2026-35221
Critical

Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.

CVE-2026-2264
Critical

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allows remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens.

CVE-2026-48687
Critical

FastNetMon Community Edition up to version 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in fastnetmon_juniper.php constructs shell commands by concatenating the $msg parameter directly into exec() calls.

CVE-2026-48686
Critical

FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI decoder. The function decode_bgp_subnet_encoding_ipv4_raw() does not validate the prefix length, leading to potential arbitrary code execution.

CVE-2026-4480
CriticalEPSS 96%

A flaw in the Samba printing subsystem allows a remote attacker to execute code by sending a specially crafted print job description. The description is passed to the command configured in the "print command" setting without proper escaping of shell special characters.

CVE-2026-45247
CriticalActively exploited

Mirasvit Full Page Cache Warmer dla Magento 2 przed wersją 1.11.12 zawiera podatność na wstrzykiwanie obiektów PHP, która pozwala nieautoryzowanym atakującym na zdalne wykonanie kodu poprzez dostarczenie spreparowanego zserializowanego obiektu PHP w ciasteczku CacheWarmer. Wykorzystanie nieograniczonego wywołania funkcji PHP unserialize() w połączeniu z łańcuchami gadżetów dostępnymi w Magento i jego zależnościach umożliwia wykonanie dowolnego kodu na serwerze.

CVE-2026-9543
Critical

A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305, affecting the setPasswordCfg function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulation of the admpass argument leads to OS command injection.

CVE-2026-7374
Critical

A flaw in KubeVirt's virt-handler component allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's CRI-O socket, the attacker can hijack virt-handler's privileged connection, gaining access to any Unix socket on the host, potentially leading to full node and cluster compromise.

CVE-2026-42496
Critical

Vulnerability in Archive::Tar for Perl before version 3.08 allows extraction of symbolic links pointing to arbitrary paths outside the target directory. The _make_special_file() function does not validate the symlink target path, enabling attackers to overwrite files outside the extraction directory.

CVE-2026-42774
Critical

CVE-2026-42774 describes an improper neutralization of special elements used in SQL commands, allowing SQL Injection in Crocoblock JetEngine.

CVE-2026-42773
Critical

CVE-2026-42773 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in eMagicOne Store Manager.

CVE-2026-9478
Critical

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521, affecting the setParentalRules function in the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulating the enable argument can lead to OS command injection.

PreviousPage 65 of 557Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS