CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-47155
Medium

vLLM is an inference and serving engine for large language models. In versions prior to 0.22.0, revision pinning controls do not consistently apply to all artifacts loaded for a model, potentially leading to the loading of unverified components.

CVE-2026-56698
Medium

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin.

CVE-2026-56697
Medium

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function. These paths pass the script-protocol check but resolve to a cross-origin URL against the current page protocol.

CVE-2026-56357
Medium

n8n versions before 1.123.15 and 2.5.0 contain a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhook events.

CVE-2026-56326
Medium

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads. Attackers can use path-normalization techniques to redirect users to attacker-controlled sites.

CVE-2026-56321
Medium

Capgo (backend of Supabase edge functions) before version 12.128.2 does not apply the global authentication middleware to the GET /private/role_bindings/:org_id endpoint, unlike the POST and DELETE role_bindings routes. This allows unauthenticated requests to reach the handler instead of being rejected at the middleware layer.

CVE-2026-56311
Medium

Capgo before version 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RPC function that allows unauthenticated attackers to retrieve organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase key to disclose billing information.

CVE-2026-56306
Medium

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers resulting in NaN or falsy values.

CVE-2026-56255
Medium

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement.

CVE-2026-56221
Medium

Cap-go before version 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters.

CVE-2026-54911
Medium

Vulnerability in UltraJSON library (versions before 5.13.0) allows accepting malformed or truncated UTF-8 byte sequences when encoding data using ujson.dumps(), ujson.dump(), or ujson.encode() with reject_bytes=False option. Instead of rejecting invalid data, the library silently rewrites them into different Unicode characters, leading to input validation bypass and data integrity issues.

CVE-2026-48500
Medium

Filament, a collection of components for accelerated Laravel development, has a vulnerability that allows unauthenticated users to upload files in certain forms, such as the login form. This could lead to unauthorized access to the application's temporary storage.

CVE-2026-48167
Medium

Filament is a collection of components for accelerated Laravel development. From versions 4.0.0 to 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML, potentially leading to XSS attacks.

CVE-2026-48166
Medium

Filament, a collection of components for accelerated Laravel development, has a vulnerability in the login page from versions 4.0.0 to 4.11.5 and 5.6.5 that allows unauthenticated attackers to enumerate registered email addresses.

CVE-2026-48067
Medium

In Filament components for Laravel, the recordSelectOptionsQuery() method did not apply proper validation for Select fields in AttachAction and AssociateAction. This allows users to tamper with the Livewire component's state and submit out-of-scope values.

CVE-2026-44889
Medium

WebOb before version 1.8.10 is vulnerable to an open redirect due to improper normalization of the Location header during a redirect. An attacker can use ASCII tab, carriage return, and newline characters to reinterpret the target URL as a protocol-relative URL, leading to redirection to an external attacker-controlled site. This vulnerability bypasses the CVE-2024-42353 fix.

CVE-2026-44311
Medium

A vulnerability in Fabric.js before version 7.4.0 allows XSS attacks due to improper escaping of user input during SVG serialization via the toSVG() method. The color field in the colorStops array of a fabric.Gradient object is not properly sanitized, enabling injection of arbitrary HTML/SVG and JavaScript execution in the victim's browser.

CVE-2026-55599
Medium

The phpseclib library up to versions 1.0.30, 2.0.55, and 3.0.54 by default fetches a URL from the Authority Information Access (AIA) extension of an untrusted X.509 certificate during validation. An attacker can supply a certificate with a controlled host, port, and path, leading to a server-side request forgery (SSRF) vulnerability.

CVE-2026-54651
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.1, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

CVE-2026-54531
Medium

pypdf is a free and open-source pure-python PDF library. Prior to version 6.13.0, an attacker could exploit this vulnerability to craft a PDF that leads to an infinite loop.

PreviousPage 73 of 533Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS