CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Missing authorization in the server management routes in Azuriom CMS before version 1.2.11 allows an authenticated attacker with admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses.
Dell PowerFlex Manager versions prior to 5.1.0.1 contain an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access.
NGINX Open Source has a vulnerability in the ngx_http_v3_module. When configured with the HTTP/3 QUIC module, a remote unauthenticated attacker, under specific conditions, can use a crafted HTTP/3 session to reopen a QPACK encoder stream, causing a Use-after-Free in the NGINX worker process and a restart. On systems with ASLR disabled or bypassed, code execution is possible.
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. It occurs when proxy_http_version 2 or grpc_pass directives are used for HTTP/2 proxying, ignore_invalid_headers is set to off, and large_client_header_buffers size exceeds 2 MB. A remote unauthenticated attacker can send large headers causing a heap-based buffer overflow in the NGINX worker process, leading to a restart or potential code execution.
Dell PowerFlex Manager versions prior to 5.1.0.1 contain an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
Dell PowerFlex Manager versions prior to 5.1.0.1 contain a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Information tampering, Remote execution, Script injection, and Unauthorized access.
Dell PowerFlex Manager versions prior to 5.1.0.1 contain an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Unauthorized access.
Dell PowerFlex Manager versions prior to 5.1.0.1 contain an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information disclosure.
In NGINX Gateway Fabric, when NGINX Plus is configured as the data plane, an injection vulnerability exists in the NGINX configuration generator component. User-supplied string values from the serverTokens field of the NginxProxy Custom Resource Definition and the extraAuthArgs field of the AuthenticationFilter Custom Resource Definition are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may inject arbitrary NGINX configuration directives.
A stack-based buffer overflow exists in the raw_to_header() function in rxi microtar 0.1.0. The function copies the name and linkname fields of a TAR header without guaranteeing null termination, potentially leading to out-of-bounds read and stack buffer overflow.
CVE-2026-54818 describes an improper neutralization of special elements used in an SQL command, allowing for Blind SQL Injection in Slimstat Analytics.
CVE-2026-54816 describes an improper control of code generation vulnerability that allows remote code inclusion in Monetizemore Advanced Ads. This issue affects Advanced Ads versions from n/a through 2.0.21.
CVE-2026-54814 describes improper control of filename for include/require statements in PHP, allowing for local file inclusion. This affects the Motors theme from n/a through 1.4.109.
CVE-2026-54813 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in Brainstorm Force SureDash. This issue affects SureDash versions from n/a through 1.8.0.
An integer overflow in the mtar_next() function in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service via a crafted tar archive. The issue occurs when the header size is a multiple of 512 in a specific range, leading to an infinite loop.
In Fusion Builder versions <= 3.15.4, there is a vulnerability that allows arbitrary file deletion by users with appropriate permissions.
Versions of Kastell <= 2.0 are vulnerable to unauthenticated local file inclusion, which may lead to the disclosure of sensitive information.
Château versions up to 1.2.1 are vulnerable to unauthenticated PHP object injection.
Zoya versions up to 1.4 contain a vulnerability to unauthenticated PHP object injection, which may lead to unauthorized access to the system.
There is an unauthenticated PHP Object Injection vulnerability in Manufaktur Solutions versions <= 1.1.1.

