CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
vLLM is an inference and serving engine for large language models. In versions prior to 0.22.0, revision pinning controls do not consistently apply to all artifacts loaded for a model, potentially leading to the loading of unverified components.
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin.
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function. These paths pass the script-protocol check but resolve to a cross-origin URL against the current page protocol.
n8n versions before 1.123.15 and 2.5.0 contain a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads. Attackers can use path-normalization techniques to redirect users to attacker-controlled sites.
Capgo (backend of Supabase edge functions) before version 12.128.2 does not apply the global authentication middleware to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_bindings routes. This allows unauthenticated requests to reach the handler instead of being rejected at the middleware layer.
Capgo before version 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information.
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers resulting in NaN or falsy values.
Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement.
Cap-go before version 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters.
Vulnerability in UltraJSON library (versions before 5.13.0) allows accepting malformed or truncated UTF-8 byte sequences when encoding data using ujson.dumps(), ujson.dump(), or ujson.encode() with reject_bytes=False option. Instead of rejecting invalid data, the library silently rewrites them into different Unicode characters, leading to input validation bypass and data integrity issues.
Filament, a collection of components for accelerated Laravel development, has a vulnerability that allows unauthenticated users to upload files in certain forms, such as the login form. This could lead to unauthorized access to the application's temporary storage.
Filament is a collection of components for accelerated Laravel development. From versions 4.0.0 to 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML, potentially leading to XSS attacks.
Filament, a collection of components for accelerated Laravel development, has a vulnerability in the login page from versions 4.0.0 to 4.11.5 and 5.6.5 that allows unauthenticated attackers to enumerate registered email addresses.
In Filament components for Laravel, the recordSelectOptionsQuery() method did not apply proper validation for Select fields in AttachAction and AssociateAction. This allows users to tamper with the Livewire component's state and submit out-of-scope values.
WebOb before version 1.8.10 is vulnerable to an open redirect due to improper normalization of the Location header during a redirect. An attacker can use ASCII tab, carriage return, and newline characters to reinterpret the target URL as a protocol-relative URL, leading to redirection to an external attacker-controlled site. This vulnerability bypasses the CVE-2024-42353 fix.
A vulnerability in Fabric.js before version 7.4.0 allows XSS attacks due to improper escaping of user input during SVG serialization via the toSVG() method. The color field in the colorStops array of a fabric.Gradient object is not properly sanitized, enabling injection of arbitrary HTML/SVG and JavaScript execution in the victim's browser.
The phpseclib library up to versions 1.0.30, 2.0.55, and 3.0.54 by default fetches a URL from the Authority Information Access (AIA) extension of an untrusted X.509 certificate during validation. An attacker can supply a certificate with a controlled host, port, and path, leading to a server-side request forgery (SSRF) vulnerability.
pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.1, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.
pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.0, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

