CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In versions 0.9.1 and below, the pam_usb module can cause a NULL dereference crash when parsing loginctl output. The pusb_is_loginctl_local() function calls popen() and reads the result, which can lead to undefined behavior and crashing the PAM module.
In versions 0.9.1 and below, the xfree() function in pam_usb releases memory without first zeroing the buffer contents, leading to the exposure of sensitive data in freed memory. This could allow recovery of pad values or other authentication material from freed memory regions.
The WP EasyPay WordPress plugin contains a CSRF vulnerability that allows an attacker to perform unauthorized actions on behalf of a logged-in administrator. The flaw affects all versions up to and including 4.5.0.
Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in version 2.641.
Webmin allows unauthenticated attackers to read the contents of any file ending in .conf within module directories, due to a bypassable regex pattern.
Hermes WebUI before 0.51.468 contains a resource exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint that allows unbounded accumulation of in-memory flow state and daemon threads.
The EPDS and EDS systems do not validate X-Forwarded-For HTTP headers, allowing a remote attacker with compromised administrator credentials to bypass network access controls and log in.
The EPDS and EDS systems expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a request containing an arbitrary 'user_id' parameter and receive a JSON response containing account-specific information, including the associated email address.
Grav version 2.0.0-rc.9 with Admin2 version 2.0.0-rc.14 contains a stored cross-site scripting (XSS) vulnerability in the Admin2 Pages API save flow.
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering unrestricted HTTP requests to external URLs. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information.
A flaw in 389 Directory Server causes the attr_syntax_swap_ht() function to unconditionally free attribute syntax information nodes during schema reload, bypassing the refcount-based deferred deletion. If an administrator triggers schema reload while concurrent LDAP queries are active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).
GeoServer prior to versions 2.26.4 and 2.27.3 may allow an attacker to perform unauthenticated Server-Side Request Forgery (SSRF) using `ENTITY_RESOLUTION_ALLOWLIST`. This requires GeoServer to be configured to use a proxy base URL without a path or ending with a slash.
CVE-2026-56009 describes an improper neutralization of input during web page generation in Bricksable for Bricks Builder, allowing for Stored XSS attacks.
CVE-2026-56007 describes an improper neutralization of input during web page generation in OceanWP Ocean Product Sharing, leading to Stored XSS vulnerabilities.
UBB.threads is vulnerable to Reflected XSS. The application improperly handles user input in certain requests, allowing attackers to execute arbitrary JavaScript in the context of a victim's browser.
UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing.
A path traversal vulnerability in handling the 'path' component of .repo files in libzypp before version 17.38.13 in the 17.x series, or before 16.22.19, could allow attackers to fill directories on the system outside of the zypp cache with content.
CVE-2026-42490 vulnerability relates to the way the system acquires a lock for guest management operations in a Xen environment. When using XSM/Flask, the lock acquisition may occur before permission checks, creating a risk of unauthorized access.
CVE-2026-42489 concerns the lack of fairness in the way system-wide locks are acquired during domctl operations, which may lead to issues with parallel execution of these operations.
The vulnerability in Docker Sandboxes (sbx) is that the ICMP egress block is applied only at network creation time and is not re-applied to networks rebuilt from disk after a Docker daemon restart. Consequently, a sandbox that survives a restart can forward ICMP to arbitrary hosts.

