CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-12958
High

Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.

CVE-2026-12957
High

Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 may allow arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed.

CVE-2026-11940
High

A vulnerability in tarfile.extractall() with the 'data' or 'tar' filter can be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name. The validation checks the symlink at its archived location but recreates it at the hardlink's shallower path, allowing escape from the destination directory.

CVE-2025-61028
High

An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61027
High

An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61025
High

An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61023
High

An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61022
High

An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61021
High

An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61020
High

An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61019
High

An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2025-61018
High

An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2026-54314
High

n8n is a workflow automation platform that prior to version 2.24.0 had an issue with the Compression node allowing attacker-controlled archives to be decompressed without limits on output size. An attacker could send a small compressed archive to a public webhook, causing memory exhaustion and terminating the n8n process.

CVE-2026-54313
High

n8n is an open source workflow automation platform. Prior to version 2.24.0, an authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation, leading to unintended documents being matched and overwritten with attacker-controlled content.

CVE-2026-54312
High

n8n is a workflow automation platform that prior to version 2.24.0 allowed authenticated users with permissions to create or modify workflows to achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter.

CVE-2026-54311
High

n8n is an open source workflow automation platform. Prior to versions 2.25.7 and 2.26.2, an authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's SQL Query mode.

CVE-2025-62180
High

Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.

CVE-2026-56815
High

A vulnerability in pwnlift before d7a9544 in a privileged deployment allows an attacker to follow symbolic links in the upload handler in Components/Pages/Home.razor.

CVE-2026-35019
High

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by exploiting a hardcoded AES-256 key used to encrypt session cookies for the web management interface. Attackers can forge a valid encrypted session cookie using the shared hardcoded key and bypass authentication checks.

CVE-2026-35018
High

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the dalStorage_addUserAccount function.

PreviousPage 83 of 3351Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS