CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-42450
High

OpenColorIO prior to version 2.5.2 contains a vulnerability in FileFormatSpi3D.cpp where sscanf with %s format writes data into 64-byte stack buffers. Input comes from a 4096-byte lineBuffer, allowing a crafted .spi3d file to overflow by approximately 4000 bytes on non-Windows systems.

CVE-2026-35025
High

A vulnerability in ProFTPD up to versions 1.3.9b and 1.3.10rc2 allows authenticated FTP users to bypass Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval.

CVE-2026-12537
High

A vulnerability in Google Gemini CLI and run-gemini-cli GitHub Action allows an unprivileged attacker to execute host-level code before sandboxing via a maliciously crafted .gemini/.env file. The issue affects CLI versions before 0.39.1 and Action versions before 0.1.22 on headless CI platforms.

CVE-2026-56351
High

An SQL injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes in n8n before version 2.4.0 allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply specially crafted table or column names to execute unauthorized database commands and compromise data integrity.

CVE-2026-56270
High

Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an organizationId parameter.

CVE-2026-56257
High

Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged.

CVE-2026-56256
High

Capgo before version 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive organization management API endpoints do not validate 2FA completion on the backend, allowing an authenticated Admin user without 2FA to bypass the requirement.

CVE-2026-56245
High

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public API key.

CVE-2026-56244
High

Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configured receivers.

CVE-2026-56232
High

Capgo versions before 12.128.2 fail to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via the x-limited-key-id header in the middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys.

CVE-2026-56231
High

Capgo before 12.128.2 contains a BOLA (broken object level authorization) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. An attacker can exploit the controlled app_id to authorize requests, allowing them to start or cancel build jobs of other tenants.

CVE-2026-56223
High

Capgo before version 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization.

CVE-2026-12242
High

The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to and including 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string.

CVE-2025-71361
High

Picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().

CVE-2025-71354
High

Picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

CVE-2026-52943
High

A vulnerability in the Linux kernel's pskb_carve_inside_header() and pskb_carve_inside_nonlinear() functions copies skb_shared_info without incrementing the reference count for MSG_ZEROCOPY. This causes a use-after-free condition that can be exploited for privilege escalation.

CVE-2026-10745
High

CVE-2026-10745 describes an improper output neutralization for logs vulnerability in upKeeper Solutions upKeeper Instant Privilege Access on Windows, allowing log injection, tampering, and forging.

CVE-2026-7761
High

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs that allow attackers with appropriate permissions to create malicious posts and leak password reset links.

CVE-2026-56052
High

CVE-2026-56052 describes an improper neutralization of special elements used in SQL commands, allowing for Blind SQL Injection in FunnelKit Funnel Builder.

CVE-2026-52942
High

In the Linux kernel netfilter: nf_log component, a slab-out-of-bounds read vulnerability exists. The dump_mac_header() function fails to validate that the MAC header is set, allowing an attacker to read ~64 KiB out-of-bounds via AF_PACKET with PACKET_QDISC_BYPASS.

PreviousPage 75 of 3348Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS