CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the Linux kernel's xfrm/espintcp module, a vulnerability allows reusing an in-progress partial send state (ctx->partial) before completion. The espintcp_sendmsg() function may overwrite the active send state, leading to an out-of-bounds memory read.
In the Linux kernel's batman-adv module, a buffer overflow vulnerability was found in TVLV packet processing. The function calculating the TVLV container list size used u16 type, causing integer wrap-around when the total exceeds 65535 bytes, leading to undersized buffer allocation and out-of-bounds write.
In the Linux kernel, a vulnerability was found in the io_uring/poll mechanism where a signed comparison in io_poll_get_ownership() prevented the slowpath from being taken when the cancel flag (IO_POLL_CANCEL_FLAG) was set. This could lead to improper handling of cancellation operations.
In the Linux kernel, the xfrm/ipcomp module fails to free destination pages on asynchronous compression (acomp) errors. The fix moves the out_free_req label to ensure the allocated SG list is freed on both error and success paths.
In the Linux kernel, a vulnerability in SCTP stream handling causes incomplete rollback when ADD_OUT_STREAMS is denied. Leftover metadata from removed streams can trigger a null-pointer dereference in the scheduler when the stream is re-added.
In the Linux kernel, a vulnerability in the ebtables module was found where the compat_mtw_from_user() function lacks proper validation of user-supplied match/target size, leading to an out-of-bounds (OOB) read. This affects ebtables extensions that require conversion from 32-bit user structures to kernel native structures.
In the Linux kernel, a vulnerability exists in the SysV IPC ID allocation mechanism. The `ipc_idr_alloc()` function in the checkpoint/restore path can allocate an ID beyond the valid range (`ipc_mni`), causing incorrect object lookup and removal, leading to a use-after-free condition when reading `/proc/sysvipc/shm`.
In the Linux kernel, the batman-adv module (Distributed ARP Table) fails to check the return value of pskb_copy_for_clone(). A failed memory allocation leads to a NULL pointer dereference in batadv_send_skb_prepare_unicast_4addr(), causing a system crash.
A vulnerability was found in the Linux kernel's netfilter xt_policy module, involving incorrect strict mode inbound policy matching. The match_policy_in() function processes sec_path entries in reverse order, causing inconsistency with the expected rule order for multi-element policies.
In the Linux kernel, the batman-adv module's tp_meter counter can underflow during shutdown due to multiple callers decrementing the atomic counter. This causes a sender kthread to loop indefinitely, leading to a use-after-free when the interface is removed.
A vulnerability was found in the Linux kernel's Bluetooth stack due to unsynchronized access to the accept_q queue. The bt_sock_poll() function walks the queue without locking, while child socket teardown can concurrently unlink and release the last reference, causing a race condition. This issue has existed since the initial Bluetooth implementation.
A vulnerability in the Linux kernel's SCTP sock_diag mechanism allows the dump_one function to process stale associations that have already been freed, leading to an out-of-bounds memory read.
In the Linux kernel, a vulnerability was found in the netfilter ip6t_hbh module where the hbh_mt6_check() function does not validate the number of option descriptors (optsnr) from userspace. This lack of validation allows out-of-bounds access to the opts array (off-by-one), potentially causing system instability.
A use-after-free vulnerability was found in the Linux kernel's netfilter queue (NFQUEUE) when handling bridge packets for LOCAL_IN. The skb->dev pointer is overwritten to the bridge master without holding a reference, causing a use-after-free upon reinjection after the bridge is freed.
The Cornerstone WordPress plugin before version 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata, including raw password hashes.
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields.
The WP Meta SEO plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting via the REQUEST_URI server variable in all versions up to and including 4.5.18. The plugin directly inserts unsanitized HTTP_HOST and REQUEST_URI data into the database, allowing arbitrary script injection.
The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter and lack of proper preparation on the existing SQL query.
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.8. The plugin registers the REST route wp/v3/user/list/<id> with permission_callback set to '__return_true', allowing access to sensitive information without proper authorization.
The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to and including 3.4.2. Although a `wp_verify_nonce()` check exists, the failing branch's `die()` is commented out, allowing the vulnerability to be exploited.

