CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-24781
CriticalEPSS 63%

A vulnerability in the vm2 library for Node.js allows sandbox escape via the inspect function. Attackers can execute arbitrary commands on the host system.

CVE-2026-24120
CriticalEPSS 55%

A vulnerability in the vm2 library for Node.js allows bypassing the fix for CVE-2023-37466. Attackers can write code that escapes the VM2 sandbox and executes arbitrary commands on the host system.

CVE-2026-24118
CriticalEPSS 56%

A vulnerability in the vm2 library for Node.js allows sandbox escape and arbitrary command execution on the host system. The issue is fixed in version 3.11.0.

CVE-2025-13605
Critical

The 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the 'IP address' field of the diagnosis test tools.

CVE-2025-70067
Critical

A buffer overflow vulnerability was found in the Assimp library up to version 6.0.2 in the FBX Importer. The issue occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation.

CVE-2026-7482
Critical

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file where the declared tensor offset and size exceed the file's actual length, leading to reading memory past the allocated buffer.

CVE-2026-7747
Critical

A security flaw has been discovered in Totolink N300RH version 3.2.4-B20220812 in the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the Parameter Handler component. Manipulating the Password argument results in a buffer overflow, which can be exploited in remote attacks.

CVE-2025-14320
Critical

W aplikacji wsparcia online firmy Tegsoft Management and Information Services Trade Limited Company występuje podatność na atak typu 'cross-site scripting' (XSS) z powodu niewłaściwego neutralizowania danych wejściowych podczas generowania stron internetowych. Problem ten dotyczy wersji aplikacji od V3 do 31122025.

CVE-2026-29200
Critical

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.

CVE-2026-7719
Critical

A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227 in the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the POST Request Handler component. Manipulation of the http_host argument results in buffer overflow.

CVE-2026-7372
Critical

A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to arbitrary code execution.

CVE-2026-7161
Critical

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak.

CVE-2026-42370
Critical

A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to arbitrary code execution.

CVE-2026-42369
Critical

GV-VMS V20 is a video monitoring software that allows remote access to manage and monitor cameras. A stack overflow vulnerability has been discovered in the base64 decoding mechanism, which may facilitate an attacker in exploiting this flaw.

CVE-2026-42368
Critical

A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute privileged operation.

CVE-2026-42364
CriticalEPSS 73%

There is an os command injection vulnerability in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution.

CVE-2026-7458
Critical

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the 'user_verification_form_wrap_process_otpLogin' function.

CVE-2026-4882
Critical

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to and including 1.6.20. This allows unauthenticated attackers to upload arbitrary files on the affected site's server.

CVE-2026-37541
Critical

CVE-2026-37541 describes a buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. Improper validation of the length field in GVRET binary data allows remote attackers to cause a denial of service or potentially execute arbitrary code via crafted GVRET frames.

CVE-2026-37539
Critical

CVE-2026-37539 describes a buffer overflow vulnerability in version 2.0.0 of the cannelloni software occurring during CAN frame parsing in the parseCANFrame and decodeFrame functions. This allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted CAN FD frames.

PreviousPage 90 of 559Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS