CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-47378
Medium

NocoDB prior to version 2026.04.1 had a vulnerability that allowed exposure of values from hidden columns in public shared-view endpoints. Users could access these values through various paths, such as groupBy, filter, and sort.

CVE-2026-47377
Medium

NocoDB prior to version 2026.04.1 had a vulnerability in the hashRedirect plugin that allowed redirecting users to malicious sites. The redirection occurred after checking if the path starts with '/', which allowed the use of protocol-relative URLs.

CVE-2026-47376
Medium

NocoDB prior to version 2026.04.1 had a vulnerability in the password-reset page that rendered the URL token directly into JavaScript string literals. A crafted token could break out of the JS string context and execute attacker-controlled script.

CVE-2026-47375
Medium

NocoDB prior to version 2026.04.1 allows an authenticated user with columnAdd permission to inject arbitrary SQL into the formula engine via the direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column.

CVE-2026-47279
Medium

NocoDB prior to version 2026.05.1 had a vulnerability that allowed access to hidden columns in shared views. Public relation endpoints accepted a caller-supplied column ID without verifying if the column was visible in the shared view.

CVE-2026-46552
Medium

NocoDB prior to version 2026.04.1 had a vulnerability that allowed attackers to access database members through the shared-base session UUID. Attackers could invite arbitrary email addresses as real members of the base, leading to unauthorized access.

CVE-2026-46551
Medium

NocoDB prior to version 2026.04.4 had a vulnerability in the attachment API that allowed authenticated users to download arbitrarily large files, leading to disk space exhaustion and denial of service.

CVE-2026-46550
Medium

NocoDB prior to version 2026.04.1 had a security vulnerability related to the refresh-token cookie, which was set with httpOnly: true but lacked both the secure flag and the sameSite attribute. This allowed the cookie to be intercepted on the network and enabled CSRF attacks against the token-refresh endpoint.

CVE-2026-46548
Medium

NocoDB prior to version 2026.04.1 had non-functional SSRF protection in four notification webhook plugins (Slack, Discord, Mattermost, Teams). An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts.

CVE-2026-46547
Medium

NocoDB prior to version 2026.04.1 had a reflected XSS vulnerability in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters were used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection.

CVE-2026-12892
Medium

In the GStreamer library (gst-plugins-bad), processing a crafted H.264 video file with malformed MVC or SVC extension slice NAL units triggers a one-byte heap out-of-bounds read. The flaw occurs when the parser checks slice boundary information without verifying that the NAL unit contains enough data beyond the extension header.

CVE-2026-12891
Medium

A flaw was found in the GStreamer gst-plugins-bad package where processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator causes an out-of-bounds read of up to 8 bytes from adjacent memory. An attacker can exploit this by providing a malicious video file or stream, leading to memory content leakage through video metadata.

CVE-2026-11820
Medium

A flaw in the community.general Ansible collection's nexmo module sends API credentials (api_key and api_secret) as URL query parameters via GET requests. This exposes credentials in web server logs, proxy logs, HTTP Referer headers, and network monitoring tools, despite the Ansible argument specification marking these parameters as no_log.

CVE-2026-11819
Medium

The Ansible keyring_info module leaks SSH key passphrases and other secrets in plaintext to Ansible logs, AWX/Tower, and fact cache backends. Despite the input parameter being marked no_log=True, the module output is unprotected, allowing any user with log access to read the passphrase.

CVE-2025-64105
Medium

FOSSBilling, a billing and client management system, has an IDOR vulnerability in versions 0.6.21 through 0.7.2, allowing authenticated clients to create support tickets referencing other clients' orders. The ticketCreateForClient() method did not verify order ownership, enabling manipulation of rel_id.

CVE-2026-54325
Medium

Pi is a minimal terminal coding harness. In versions before 0.79.0, Pi loaded project-local resources and configurations from a repository's .pi directory without asking the user to trust that repository, potentially allowing malicious code execution.

CVE-2026-45792
Medium

In RTK (Rust Token Killer) prior to version 0.32.0, a vulnerability was found due to improper trust of project-local configuration files. The tool automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An attacker can place a malicious filter file in a repository to selectively suppress or alter command output (including file contents, diffs, and security scan results) without detection, potentially concealing malicious code during AI-assisted development or review.

CVE-2026-55736
Medium

A vulnerability in the Ash library allows an attacker to set the value of a private action argument that should only be controlled by trusted server-side code. The filtering of private arguments is incomplete – in the changeset path only atom keys are stripped, and in the atomic path they are not stripped at all.

CVE-2026-55249
Medium

The @rtk-ai/rtk-rewrite plugin version 1.0.0 fails to sanitize user input before passing it to a shell-backed execSync() template string, allowing arbitrary OS command injection. JSON.stringify() does not protect against shell metacharacters like $() and backticks, which are executed by /bin/sh -c.

CVE-2026-54319
Medium

In versions prior to 0.186, Daytona's sandbox volume reference (volumeId) was forwarded to the runner, potentially allowing unauthorized access to paths outside the intended base directory. The use of path-traversal sequences could enable the construction of the host bind-mount source path without proper confinement.

PreviousPage 68 of 534Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS