CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses. The SSO provisioning endpoint trusts this address as an account-merge key.
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key.
Capgo before version 12.128.2 contains an improper access control vulnerability in the PostgREST RPC function public.record_build_time, which is accessible to the anon role and callable with the public anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations, allowing them to modify existing usage/billing records.
A vulnerability in Quarkus allows bypassing HTTP path-based authorization policies by using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping.
In libde265 prior to version 1.1.0, a signed integer overflow vulnerability was found in the `de265_image_get_buffer()` function. A crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes the plane allocation size to wrap to a small value (~1 KB), while the subsequent `fill_image()` call writes approximately 4 GB of data into the undersized heap buffer, leading to a heap buffer overflow.
A vulnerability in the libde265 library (H.265 codec implementation) prior to version 1.0.20 allows an out-of-bounds array write when processing a crafted H.265 bitstream. There is a missing check on the total number of predicted short-term reference picture set entries, which can cause a write beyond the 16-element array.
A vulnerability in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to redirect users to an untrusted external site (open redirect), potentially leading to privilege escalation over a network.
A Cross-Site Scripting (XSS) vulnerability in Microsoft Entra ID allows an authorized attacker to perform spoofing attacks over a network. The flaw is caused by improper neutralization of input during web page generation.
Mercator is a web application that, prior to version 2025.05.19, had a vulnerability in the query engine allowing authenticated users, including those with limited access roles, to execute queries on models beyond their intended scope. Additionally, the `password` column, although marked as `$hidden`, could be used in `LIKE` conditions in filters.
In version 2.9.1 of the gin-vue-admin platform, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code, leading to the execution of arbitrary operating system commands on the server.
In versions 3.0.0 to 3.0.8, the `run_sql_readonly` tool in ProxySQL violates the read-only contract for MySQL targets, allowing the execution of data-modifying commands. A caller can submit a read-only first statement followed by a second statement that has side effects, such as `RENAME TABLE`.
In the `radvdump` utility shipped with radvd prior to version 2.21, there is a stack buffer overflow in the Route Information option parser. When processing a crafted ICMPv6 Router Advertisement, the `print_ff()` function copies up to 2032 bytes of attacker-controlled packet data into a 16-byte `struct in6_addr` on the stack, overflowing by up to 2016 bytes. The main `radvd` daemon is not affected by this vulnerability.
DevGuard prior to version 1.4.2 allows unauthorized modifications of VEX rules by authenticated users, including those from other organizations, on public assets. Users can create, update, reapply, and delete VEX rules and other related vulnerability events.
Version 2.6.3 of the urllib3 library is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises from three independent code paths that bypass the `max_length` protection, allowing a malicious HTTP server to trigger an out-of-memory (OOM) condition.
In gonic, a music streaming server, prior to version 0.21.0, there is a logic error in the `ServeCreateOrUpdatePlaylist` function that allows any authenticated Subsonic user (including non-admins) to write M3U playlist content to an attacker-controlled absolute filesystem path on the gonic host.
Gonic, a music streaming server, has a vulnerability that allows authenticated Subsonic users to bypass playlist ownership checks. Users can read and delete other users' playlists and probe arbitrary file paths on the server.
Gonic, a music streaming server, prior to version 0.21.0, lacked authorization for the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view`. This allows an attacker, once authenticated, to delete any other user's playlist and read the contents of private playlists.
A vulnerability in the js-toml TOML parser for JavaScript (versions up to and including 1.1.0) causes quadratic time complexity (O(n²)) when parsing long hexadecimal, octal, or binary integer literals. An attacker can craft a TOML document containing a single ~500 kB hex literal, which on a modern laptop (Apple M-series, Node v22) pins one CPU core for approximately 40 seconds, leading to CPU exhaustion DoS.
The mcp-memory-service, a semantic memory layer for AI applications, prior to version 10.65.3 required only the `read` OAuth scope for all requests. This allowed read-only OAuth clients to invoke mutating tools like `store_memory` and `delete_memory`.
The Joomla com_booking component version 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts. Attackers can exploit the getUserData function in the customer controller by sending appropriate GET requests.

