CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-56015
Unknown

In the Net::IP::LPM library for Perl versions up to 1.10, there is a heap out-of-bounds read vulnerability due to missing validation of the prefix length in the add() function. An attacker can supply an invalid prefix length (e.g., 255 for IPv4 or IPv6), causing reads beyond the address buffer. The issue is detectable by tools like AddressSanitizer and may cause process termination.

CVE-2026-54483
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-46730
Medium

A vulnerability in Dell PowerProtect Data Domain allows unauthorized command execution by a local attacker with high privileges. The issue stems from incorrect authorization in the system.

CVE-2026-46468
Medium

A vulnerability in Dell PowerProtect Data Domain allows a high privileged attacker with local access to exploit improper link resolution before file access, potentially leading to information exposure.

CVE-2026-46467
Medium

A vulnerability in Dell PowerProtect Data Domain causes insertion of sensitive information into log files. A low-privileged attacker with local access could exploit this flaw to expose confidential data.

CVE-2026-44269
Medium

Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with local access to gain unauthorized access to the system.

CVE-2026-44268
Medium

A vulnerability in Dell PowerProtect Data Domain involves incorrect permission assignment for a critical resource. This flaw could be exploited by a local attacker with high privileges, leading to unauthorized access.

CVE-2026-41124
Low

A path traversal vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with local access to bypass path restrictions and potentially disclose sensitive information.

CVE-2026-41123
Medium

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, LTS2026 release 8.6.1.0 through 8.6.1.10, LTS2025 release 8.3.1.0 through 8.3.1.30, and LTS2024 release 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in RBAC. A low privileged attacker with remote access could exploit this vulnerability to tamper with information.

CVE-2026-26355
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-50238
Unknown

This CVE has been rejected by Red Hat Product Security as not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.

CVE-2026-13341
High

A vulnerability in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0 allows a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

CVE-2026-10055
High

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.

CVE-2026-10054
High

In Eclipse Theia versions 1.8.1 and later, the browser backend exposes privileged terminal RPC over WebSocket without service-level authentication. WebSocket origin validation is fail-open, allowing an attacker to execute arbitrary OS commands via terminal takeover.

CVE-2026-5137
Medium

The RTMKit (rometheme-for-elementor) plugin for WordPress up to version 2.0.7 is vulnerable to Local File Inclusion (LFI). This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization.

CVE-2026-4322
Medium

The Destekz plugin from Raera - Ankara Web Design and Digital Advertising Agency contains a reflected XSS vulnerability due to improper input neutralization during page generation. This affects versions up to 02062026, and the product is no longer supported by the vendor.

CVE-2026-4321
Critical

An SQL injection vulnerability in Destekz by Raera - Ankara Web Design and Digital Advertising Agency allows an attacker to inject malicious SQL code. The issue affects all versions up to 02062026. The vendor confirmed the product is no longer supported.

CVE-2026-9756
Medium

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.

CVE-2026-4804
Medium

The Zakra theme for WordPress up to version 4.2.0 is vulnerable to Stored Cross-Site Scripting. The lack of sanitization for post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, zakra_menu_item_active_color) via the REST API allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts that execute when users visit the affected page.

CVE-2026-47896
High

A Path Traversal vulnerability in the Apache Lucene.Net.Replicator library allows unrestricted file reading outside the restricted directory. Affected versions are from 4.8.0-beta00005 through 4.8.0-beta00017.

PreviousPage 8 of 4445Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS