CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Web::Passwd versions through 0.03 for Perl is vulnerable to remote code execution (RCE). This application is used for managing htpasswd files, and the user parameter is not validated or escaped, allowing for command injection.
OPNsense is a FreeBSD based firewall and routing platform. Prior to version 26.1.8, unsanitized user input was passed to the DHCP configuration, allowing remote code execution as root on the underlying operating system.
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to version 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role.
In OPNsense, prior to version 26.1.8, there is a remote code execution (RCE) vulnerability that allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address.
OPNsense is a FreeBSD based firewall and routing platform. In versions prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input, leading to Remote Code Execution.
CubeCart prior to version 6.7.0 has an Authenticated Server-Side Template Injection (SSTI) vulnerability in multiple modules, including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input, allowing authenticated users with administrative privileges to execute arbitrary operating system commands.
CubeCart prior to version 6.7.0 contained an Authenticated Arbitrary File Upload vulnerability in the REST API File Manager endpoint. This allows any holder of an API key with files:rw permission to upload PHP files to the images/source/ directory, where they are executed by the web server.
CubeCart prior to version 6.7.0 has an Authenticated Server-Side Template Injection (SSTI) vulnerability in multiple modules, including Email Templates and Documents. The application unsafely evaluates user-supplied input through the Smarty template engine.
Podatność na Garmin WDU (w wersjach 1.4.6 i 5.0) umożliwia atak typu cross-site origin WebSocket hijacking. Atakujący może przejąć pełną kontrolę nad urządzeniem, wykorzystując WebSockety do zarządzania ustawieniami, w tym ustawieniami administracyjnymi.
In versions 3.0.7 and earlier, there is a Cross-Site Request Forgery (CSRF) vulnerability in MISP Modules that allows an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The issue was due to the home blueprint being exempted from CSRF protection.
In versions prior to 6.2.4, the fast-jwt library has a critical authentication-bypass vulnerability that allows unauthenticated attackers to forge arbitrary JWTs accepted as authentic.
CKAN, a data management system, had a vulnerability in datastore_search_sql that allowed attackers to bypass authorization and gain access to private resources and PostgreSQL system information. The issue is fixed in versions 2.10.10 and 2.11.5.
CKAN, an open-source data management system, had a vulnerability in datastore_search_sql that allowed attackers to inject SQL to gain access to private resources and PostgreSQL system information. This vulnerability is fixed in versions 2.10.10 and 2.11.5.
CVE-2026-0257 describes authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software, allowing an attacker to bypass security restrictions and establish an unauthorized VPN connection.
In the vm2 library for Node.js prior to version 3.11.3, a vulnerability allows catching a host exception using the yield* expression inside an async generator. Closing the generator with the return function causes the value to be awaited, and exceptions thrown in the then call are caught by the runtime and passed as the next value to the yield* iterator, enabling sandbox escape and arbitrary command execution.
A vulnerability in the vm2 library for Node.js allows sandbox escape. The issue is fixed in version 3.11.2.
A vulnerability in the vm2 library for Node.js prior to version 3.11.2 allows sandbox escape via the neutralizeArraySpeciesBatch method, which can invoke a getter on the array prototype, exposing objects from the outside. Attackers can obtain host objects and the Function object, enabling arbitrary command execution on the host system.
In vm2 prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration, including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with unrestricted require settings and executes arbitrary OS commands on the host.
A vulnerability in the vm2 library for Node.js allows an attacker to bypass the sandbox and access arbitrary object prototypes. The issue is fixed in version 3.11.0.
A vulnerability in the vm2 library for Node.js (versions 3.9.6 to 3.10.5) allows attacker-controlled JavaScript running in the sandbox to mutate host prototypes such as Object.prototype, Array.prototype, and Function.prototype. This occurs because the bridge exposes mutable proxies for real host-realm intrinsic prototypes and forwards sandbox writes to host objects using ReflectSet() and ReflectDefineProperty().

