CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-14604
Medium

A vulnerability was found in Open Asset Import Library Assimp up to version 6.0.4 in the function Assimp::Exporter::ExportToBlob within code/AssetLib/Ply/PlyLoader.cpp. Manipulation in PLY model handling leads to a double free condition. The attack can be initiated remotely and the exploit has been publicly disclosed.

CVE-2026-14631
Medium

A vulnerability in webpack-dev-server versions 5.2.5 and earlier terminates the Node.js process when an unauthenticated peer sends a normal HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server.

CVE-2026-14620
Medium

A vulnerability in webpack-dev-server versions up to 5.2.5 exposes two internal developer endpoints that perform state-changing actions on any GET request without verifying the request origin. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit.

CVE-2026-14615
Medium

A flaw in the Fine-Grained Admin Permissions (FGAP) v2 implementation in Keycloak causes improper filtering of child groups based on caller permissions. A delegated administrator can view details of unauthorized child groups, including names, paths, and custom attributes.

CVE-2026-14614
Medium

In Keycloak, within the ClientResource component of admin services with FGAP v2 enabled, a delegated administrator can attach or remove hidden client scopes they are not authorized to manage. This allows injecting unauthorized data or permissions into end-user security tokens.

CVE-2026-14613
Medium

A vulnerability in Keycloak's administrative interface allows restricted administrators to view information about groups they should not have access to. When Fine-Grained Admin Permissions (FGAP v2) are enabled, an administrator who can see a specific role can also see all groups assigned to that role, without proper permission checks.

CVE-2026-14612
Medium

Two off-by-one errors in the FreeIPA ipa-otpd daemon's OAuth2 device authorization handler can cause out-of-bounds memory access when processing an oversized response from a configured external OAuth2/OIDC Identity Provider. An attacker controlling or man-in-the-middling the IdP endpoint may trigger ipa-otpd to write or read one byte past the end of a fixed-size buffer.

CVE-2026-53478
High

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-49815
High

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary OS commands.

CVE-2026-49814
High

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-49813
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-14460
High

Missing authorization in TUBITAK BILGEM's pardus-software allows argument injection. The vulnerability affects versions 1.0.4 and earlier, fixed in version 1.0.5.

CVE-2026-14459
High

An argument injection vulnerability in TUBITAK BILGEM's pardus-software allows attackers to inject additional arguments into commands. The issue affects versions up to and including 1.0.4 and is fixed in version 1.0.5.

CVE-2026-46466
Low

The vulnerability in Dell PowerProtect Data Domain involves the use of a less trusted source. It allows a high-privileged attacker with remote access to tamper with information.

CVE-2026-46465
Medium

A vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with remote access to exploit an externally-controlled format string. This could lead to information disclosure and denial of service.

CVE-2026-46464
Medium

Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with remote access to disclose sensitive information.

CVE-2026-46463
Medium

Dell PowerProtect Data Domain in multiple versions contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

CVE-2026-59234
Medium

A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership checks (user_id/company_id) before deletion enables unauthorized data destruction.

CVE-2026-56085
Low

A vulnerability in Dell PowerProtect Data Domain involves the use of an uninitialized resource. A low-privileged attacker with local access could exploit this flaw, leading to information exposure.

CVE-2026-56015
Unknown

In the Net::IP::LPM library for Perl versions up to 1.10, there is a heap out-of-bounds read vulnerability due to missing validation of the prefix length in the add() function. An attacker can supply an invalid prefix length (e.g., 255 for IPv4 or IPv6), causing reads beyond the address buffer. The issue is detectable by tools like AddressSanitizer and may cause process termination.

PreviousPage 7 of 4436Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS