CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability was found in Open Asset Import Library Assimp up to version 6.0.4 in the function Assimp::Exporter::ExportToBlob within code/AssetLib/Ply/PlyLoader.cpp. Manipulation in PLY model handling leads to a double free condition. The attack can be initiated remotely and the exploit has been publicly disclosed.
A vulnerability in webpack-dev-server versions 5.2.5 and earlier terminates the Node.js process when an unauthenticated peer sends a normal HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server.
A vulnerability in webpack-dev-server versions up to 5.2.5 exposes two internal developer endpoints that perform state-changing actions on any GET request without verifying the request origin. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit.
A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups based on caller permissions. A delegated administrator can view details of unauthorized child groups, including names, paths, and custom attributes.
In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.
A vulnerability in Keycloak's administrative interface allows restricted administrators to view information about groups they should not have access to. When Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see all groups assigned to that role, without proper permission checks.
Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker controlling or man-in-the-middling the IdP endpoint may trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary OS commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.
Missing authorization in TUBITAK BILGEM's pardus-software allows argument injection. The vulnerability affects versions 1.0.4 and earlier, fixed in version 1.0.5.
An argument injection vulnerability in TUBITAK BILGEM's pardus-software allows attackers to inject additional arguments into commands. The issue affects versions up to and including 1.0.4 and is fixed in version 1.0.5.
The vulnerability in Dell PowerProtect Data Domain involves the use of a less trusted source. It allows a high-privileged attacker with remote access to tamper with information.
A vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with remote access to exploit an externally-controlled format string. This could lead to information disclosure and denial of service.
Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with remote access to disclose sensitive information.
Dell PowerProtect Data Domain in multiple versions contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership checks (user_id/company_id) before deletion enables unauthorized data destruction.
A vulnerability in Dell PowerProtect Data Domain involves the use of an uninitialized resource. A low-privileged attacker with local access could exploit this flaw, leading to information exposure.
In the Net::IP::LPM library for Perl versions up to 1.10, there is a heap out-of-bounds read vulnerability due to missing validation of the prefix length in the add() function. An attacker can supply an invalid prefix length (e.g., 255 for IPv4 or IPv6), causing reads beyond the address buffer. The issue is detectable by tools like AddressSanitizer and may cause process termination.

