CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-58376
High

Dolibarr up to version 23.0.3 (fixed in commit 14db36e) contains a SQL injection vulnerability. Authenticated API users can exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters parameter in the setup dictionary and multicurrencies REST API endpoints.

CVE-2026-58375
High

JimuReport up to version 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication. The @JimuNoLoginRequired annotation causes all access controls to be skipped, and the export service streams the report for any supplied ID without verifying the auto-export configuration flag. An unauthenticated attacker can enumerate Snowflake report identifiers and export the full contents of any report, including data from SQL queries and credentials embedded in data sources.

CVE-2026-58373
Medium

A vulnerability in CVAT before version 2.69.0 in the QualityReportViewSet.get_queryset allows authenticated attackers to enumerate quality report identifiers belonging to other organizations. The missing check_object_permissions call on the parent_id parameter in the quality reports API endpoint enables distinguishing existing and non-existing reports via HTTP 500 vs 404 responses.

CVE-2026-58372
HighEPSS 51%

SeaweedFS before version 4.34 has a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. An authenticated S3 principal with write access to a single bucket can delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the DeleteObjects XML request body.

CVE-2026-58371
Low

A vulnerability in SeaweedFS before version 4.30 reflects the callback query parameter without validation in JSON responses served as application/javascript. Missing X-Content-Type-Options: nosniff header and CORS allow-list allows an attacker to load responses from any JSON endpoint (including unauthenticated ones) via a <script> tag from a third-party web page.

CVE-2026-58370
High

A vulnerability in Woodpecker before version 3.15.0 allows bypassing the ApprovalAllowedUsers list by manipulating the pipeline.Author field. For GitLab integration, the commit author is taken from webhook data which can be attacker-controlled. A user opening a merge request from a fork can set the commit author name to match an entry in ApprovalAllowedUsers, causing the pipeline to run without required approval.

CVE-2026-58369
Medium

Woodpecker before version 3.15.0 exposes the /api/orgs/lookup/*org_full_name endpoint without authentication middleware, and the handler triggers a NULL pointer dereference for unauthenticated requests. Each request causes a panic that is recovered by gin middleware but writes a multi-line stack trace to the error log.

CVE-2026-58176
Medium

In RuoYi-Vue-Plus up to version 5.6.2 (fixed in commit 88d03d9), workflow task management endpoints in FlwTaskController lack any permission checks. Any authenticated user, regardless of role, can reassign tasks, urge tasks, and list all pending and finished tasks.

CVE-2026-58174
Medium

A vulnerability in Hermes WebUI before version 0.51.521 allows bypassing profile isolation. When importing a session, the workspace of the active named profile is validated, but the Session object is created without setting its profile, resulting in the session being persisted with a null profile. A null profile is treated as the default profile, enabling a user on the default profile to export the session transcript and read files from the named profile's workspace.

CVE-2026-58173
Medium

A path traversal vulnerability in Vibe-Trading before version 0.1.10 allows attackers to write files outside the intended memory root directory by supplying a malicious memory_type value containing path traversal sequences. Attackers can manipulate the memory_type parameter in the persistent memory store to write arbitrary Markdown files to unintended filesystem locations.

CVE-2026-58172
Critical

A vulnerability in Ocelot through version 24.1.0 (fixed in commit f156fd4) allows bypassing IP-based access controls by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcing the allow/block list.

CVE-2026-58171
Medium

A vulnerability in Vibe-Trading before version 0.1.10 allows reading and overwriting run.json files outside the runs directory. An attacker can exploit a crafted run identifier supplied via MCP swarm tools, leading to data confidentiality and integrity breaches.

CVE-2026-58170
High

A path traversal vulnerability in Vibe-Trading before version 0.1.10 allows an attacker to load a controlled JSON file as an authoritative trading mandate by manipulating the proposal identifier. Combined with the file upload endpoint, an admitted caller can fully control the committed mandate, bypassing ceilings validation.

CVE-2026-58169
High

A DNS rebinding vulnerability in Vibe-Trading before 0.1.10 allows bypassing bearer-token authentication. The attacker exploits the server's trust of TCP peer addresses for loopback clients and missing Host header validation while binding to 0.0.0.0 with credentialed CORS. This leads to remote code execution and credential exfiltration.

CVE-2026-58168
High

An authorization bypass vulnerability in DeepTutor before version 1.4.10 allows low-privilege users to invoke unrestricted MCP tools. The allowed_mcp_tools function returns None instead of a denied result when mcp_tools is omitted from a user's grant.

CVE-2026-58167
Medium

A vulnerability in Nightingale (n9e) before version 9.0.0-beta.2 allows any authenticated low-privilege user (Standard role) to read full datasource configurations, including database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys. This occurs via the POST /api/n9e/datasource/list endpoint, which lacks admin authorization, and the DatasourceFilter does not redact secret fields.

CVE-2026-58166
Critical

OpenBMB ChatDev through version 2.2.0, fixed in commit 4fd4da6, contains a path traversal vulnerability that allows unauthenticated remote attackers to write or delete arbitrary files by supplying a malicious multipart filename in the file upload endpoint. Attackers can send a crafted filename containing path traversal sequences or an absolute path to the POST uploads session endpoint, which constructs the destination path without sanitization in save_upload_file, causing file write and cleanup operations to target attacker-chosen paths on the server filesystem.

CVE-2026-58165
High

In OpenZiti through version 2.0.0 (fixed in commit 3027fdf), a privilege escalation vulnerability exists. An authenticated non-admin identity with fine-grained enrollment management permissions can create an enrollment token for any identity, including the default administrator, because the ApplyCreate function in controller/model/enrollment_manager.go only verifies the target identity exists without performing authorization checks binding the caller to the target identity.

CVE-2026-49451
High

A vulnerability in the Microsoft.OpenApi library (OpenAPI.NET SDK) can cause process termination due to stack overflow when parsing an OpenAPI document with a circular schema reference. The issue affects versions from 2.0.0-preview11 to 2.7.5 and 3.5.4, confirmed for both JSON and YAML readers.

CVE-2026-10655
Medium

In Zephyr OS, a vulnerability in the asynchronous SNTP client (sntp_close_async) closes the UDP socket without synchronizing with the polling thread, leading to a use-after-free of the net_context structure. An attacker can trigger this by delaying or dropping SNTP responses, causing a crash of the networking thread (DoS) and potential memory corruption.

PreviousPage 88 of 4483Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS