CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Vulnerability in Guzzle (PHP HTTP client) before 7.12.1 causes traffic expected to be TLS-protected to the proxy to be transmitted in cleartext under certain configurations. This occurs when using built-in cURL handlers (CurlHandler or CurlMultiHandler) with libcurl older than 7.50.2 and an https:// proxy URL — libcurl silently treats it as http://, never establishing an encrypted connection.
In n8n before version 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL.
SQL Injection vulnerability in Cboard v.0.4.2 and earlier allows a remote attacker to execute arbitrary code via the getDimensionsValues component.
A NULL pointer dereference vulnerability was discovered in GPAC MP4Box v2.4 in the gf_isom_add_track_kind() function at isomedia/isom_write.c. Attackers can exploit this by crafting a malicious MP4 file to cause a Denial of Service (DoS).
DRIMO CMS is vulnerable to reflected XSS via the q parameter in the searching functionality. An attacker can prepare a URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
Hono before version 4.12.12 does not validate cookie names in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters. This can lead to malformed Set-Cookie header values.
Grav before version 2.0.0-beta.2 contains an XML external entity injection (XXE) vulnerability in SVG file upload processing that allows authenticated attackers to read arbitrary files. The application uses simplexml_load_string without disabling external entity loading, enabling attackers to inject XXE payloads via malicious SVG files.
ImageMagick before versions 7.1.2-15 and 6.9.13-40 has a memory leak in coders/txt.c when processing TXT files with texture attributes. The texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed.
Nuxt versions 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect.
Crawl4AI before version 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard. The dashboard renders crawl URLs and error messages via innerHTML without escaping, allowing an attacker to submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard.
Capgo before version 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that can be called using only the public Supabase key without authentication. The endpoint is CORS-permissive and lacks rate limiting, enabling attackers to perform password spraying and credential stuffing attacks.
The ProfileGrid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to 5.9.9.2 due to insufficient input sanitization and output escaping.
CVE-2026-10857 describes improper neutralization of input during web page generation, leading to Reflected XSS vulnerabilities in AKIN Software's e-Commerce.
The Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, allowing the publication of a malicious extension with an SVG icon. This leads to stored XSS attacks when a user navigates directly to the icon URL.
The Frontend File Manager Plugin for WordPress through version 23.6 does not sanitize or escape a filename submitted to the frontend file-rename endpoint, leading to a Stored Cross-Site Scripting vulnerability.
The Infility Global plugin for WordPress before version 2.15.20 does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks. This allows authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database.
In Zephyr's ext2 directory-entry parser, the on-disk entry structure is not fully validated before copying the entry name and advancing traversal state. A crafted ext2 image can cause an out-of-bounds read from the directory block buffer or an infinite loop.
vLLM is an inference and serving engine for large language models. In versions prior to 0.23.1rc0, an incomplete fix for CVE-2026-22778 allows memory addresses to leak in error messages, potentially exposing memory information in responses to clients.
vLLM is an inference and serving engine for large language models. In versions prior to 0.23.1rc0, temperature validation used comparison operators that incorrectly handled NaN and positive Infinity, leading to undefined behavior or CUDA errors.
vLLM is an inference and serving engine for large language models. Prior to version 0.23.1rc0, the /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output, which could lead to excessive resource consumption.

