CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in vm2 prior to 3.11.0 allows bypassing the NodeVM builtin allowlist when the 'builtin' module is allowed (including via the '*' wildcard). Sandboxed code can use Module._load() to load any module in the host context, leading to remote code execution.
In the vm2 library for Node.js prior to version 3.11.0, there is a vulnerability that allows obtaining the host object. An attacker can use various methods, e.g., via HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom) and escape the sandbox.
A vulnerability in JupyterLab before version 4.5.7 allows arbitrary JupyterLab commands to be executed via a crafted button in an HTML cell. The CommandLinker listens for click events on the entire document and executes commands without verifying the element's origin.
A vulnerability exists in iControl REST that allows a highly privileged, authenticated attacker with at least the Manager role to create configuration objects that enable running arbitrary commands.
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key.
ELECOM wireless LAN access point devices contain an OS command injection in processing of the username parameter. If processing a crafted request, an arbitrary OS command may be executed.
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo.
A stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). A remote attacker can send a specially crafted request to the product's web service, which may lead to arbitrary code execution if the product is configured to run pop3wallpasswd with grdnwww user privilege.
Wszystkie wersje Hitachi Vantara Pentaho Data Integration & Analytics zawierają sterownik JDBC dla baz danych H2, który jest podatny na wykonanie zewnętrznych skryptów podczas tworzenia nowego połączenia przez administratora źródła danych.
ChurchCRM is an open-source church management system. In versions 7.2.0 to 7.2.2, the fix for CVE-2026-4058 is incomplete, allowing for exploitation of this vulnerability.
ChurchCRM is an open-source church management system. In versions prior to 7.3.2, the fix for CVE-2026-39337 is incomplete, allowing for pre-authentication remote code execution via unsanitized DB_PASSWORD.
Thymeleaf, a Java template engine, has a security bypass vulnerability prior to version 3.1.5.RELEASE that allows for the execution of dangerous expressions. If an application developer passes unsanitized variables containing such expressions to the template engine, these expressions can be executed in sandboxed contexts, leading to Server-Side Template Injection (SSTI).
Scramble generates API documentation for Laravel projects. From versions 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.
In versions prior to 4.08.010, the elfinder_checkRisk function in efw4.X does not validate the dst parameter used by elfinder_paste, allowing an attacker to copy or move files from the home directory to any arbitrary location by setting dst to a base64-encoded traversal path.
In efw4.X prior to version 4.08.010, the efw.file.FileManager.unZip method did not check the canonical path when writing zip entries to disk, allowing for directory traversal. An attacker could exploit this vulnerability to drop a malicious JSP file and execute arbitrary commands as the Tomcat user.
In wger prior to version 2.6, there is a vulnerability that allows a user with gym.manage_gym permissions to reset the password of any user with no gym assignment. By exploiting an object comparison error, an attacker can take over the victim's account, and the victim's original password is invalidated.
In versions prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field. Sending a boundary string longer than ~8000 characters overflows the stack and may lead to remote code execution.
django-s3file prior to version 7.0.2 is vulnerable to relative path traversal attacks, allowing an attacker to escape pre-signed upload locations and load files from random locations into request.FILES. This may lead to confidentiality and integrity issues.
Exim versions before 4.99.3, in certain GnuTLS configurations, has a use-after-free vulnerability in the BDAT body parsing path. This can lead to heap corruption when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection.

