CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-14388
Medium

An out-of-bounds read vulnerability in the ANGLE component of Google Chrome prior to version 150.0.7871.46 allows a remote attacker to read potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-14386
Medium

An out-of-bounds read vulnerability in the ANGLE component of Google Chrome prior to version 150.0.7871.46 allows a remote attacker to read sensitive information from process memory via a crafted HTML page. The issue is rated as High severity.

CVE-2026-14384
Medium

An out-of-bounds read vulnerability in the ANGLE component of Google Chrome on Windows prior to version 150.0.7871.46 allows a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2026-14381
Medium

A vulnerability in the WebAppInstalls component of Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted HTML page. The issue stems from incorrect security UI handling.

CVE-2026-55793
Medium

In Craft CMS versions 5.0.0-RC1 through 5.9.22, an author-level user can inject malicious JavaScript into an entry title. When an admin drags another entry under the poisoned entry in table view, the payload executes in the victim's session.

CVE-2026-54712
Medium

In OpenTelemetry Java Instrumentation prior to version 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload, causing excessive memory allocation and potential denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable.

CVE-2026-54704
Medium

In OpenTelemetry Java Instrumentation prior to version 2.28.0, a vulnerability in JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends.

CVE-2026-54262
Medium

In Wagtail, an open source content management system built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2 allow a low-level user with the 'Can submit translation' permission to create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

CVE-2026-54261
Medium

In Wagtail, an open source CMS built on Django, a missing permission check on the image preview endpoint allows users with Wagtail admin access to preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by ordinary site visitors without admin access.

CVE-2026-54260
Medium

In Wagtail, an open source CMS built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2 allow an authenticated admin user to trigger expensive rendition processing with crafted filter specs, potentially causing service degradation. The vulnerability is not exploitable by ordinary site visitors without Wagtail admin access.

CVE-2026-54259
Medium

In Wagtail, an open source CMS built on Django, versions prior to 7.0.8, 7.3.3, and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename, name, and URLs of documents and images in those collections.

CVE-2026-36911
Medium

A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-36910
Medium

An access violation in the BaseSplitterFile::Read function of MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-36909
Medium

A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2026-55886
Medium

Jodit Editor versions prior to 4.12.26 are vulnerable to Prototype Pollution via the Jodit.modules.Helpers.set() function. An attacker can pass a crafted key chain containing __proto__, constructor, or prototype, leading to Object.prototype modification and injection of unexpected properties.

CVE-2026-55661
Medium

A stored XSS vulnerability exists in the Tina headless CMS rich-text component. The URL field in Slate link/image nodes is not sanitized, allowing malicious URLs (e.g., javascript: or data:text/html) to be rendered and executed when content is viewed.

CVE-2026-54786
Medium

Wasmtime prior to versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2 contains a vulnerability in the native WASIp1 implementation where the fd_renumber function fails to properly close the target file descriptor. This causes resource leaks in the host system, potentially leading to exhaustion of file descriptors and resources.

CVE-2026-54756
Medium

In Jodit Editor prior to version 4.12.18, the Jodit.configure() function and internal ConfigMerge/ConfigProto helpers merged user-supplied options without filtering prototype-mutating keys, leading to a Prototype Pollution vulnerability.

CVE-2026-54720
Medium

In Silverstripe Framework prior to version 6.2.2, the 'Insert media from web' functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2.

CVE-2026-14340
Medium

An incorrect authorization vulnerability in GitHub Enterprise Server allowed a user-to-server token scoped to a GitHub App installation to perform write operations on public repositories outside its intended scope. The authorization check only verified read permissions on the target repository, not explicit access.

PreviousPage 9 of 485Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS