CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in the vm2 library for Node.js allows sandbox escape via the inspect function. Attackers can execute arbitrary commands on the host system.
A vulnerability in the vm2 library for Node.js allows bypassing the fix for CVE-2023-37466. Attackers can write code that escapes the VM2 sandbox and executes arbitrary commands on the host system.
A vulnerability in the vm2 library for Node.js allows sandbox escape and arbitrary command execution on the host system. The issue is fixed in version 3.11.0.
The 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the 'IP address' field of the diagnosis test tools.
A buffer overflow vulnerability was found in the Assimp library up to version 6.0.2 in the FBX Importer. The issue occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation.
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file where the declared tensor offset and size exceed the file's actual length, leading to reading memory past the allocated buffer.
A security flaw has been discovered in Totolink N300RH version 3.2.4-B20220812 in the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the Parameter Handler component. Manipulating the Password argument results in a buffer overflow, which can be exploited in remote attacks.
W aplikacji wsparcia online firmy Tegsoft Management and Information Services Trade Limited Company występuje podatność na atak typu 'cross-site scripting' (XSS) z powodu niewłaściwego neutralizowania danych wejściowych podczas generowania stron internetowych. Problem ten dotyczy wersji aplikacji od V3 do 31122025.
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227 in the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the POST Request Handler component. Manipulation of the http_host argument results in buffer overflow.
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to arbitrary code execution.
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak.
A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to arbitrary code execution.
GV-VMS V20 is a video monitoring software that allows remote access to manage and monitor cameras. A stack overflow vulnerability has been discovered in the base64 decoding mechanism, which may facilitate an attacker in exploiting this flaw.
A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute privileged operation.
There is an os command injection vulnerability in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution.
The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the 'user_verification_form_wrap_process_otpLogin' function.
The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'URAF_AJAX::method_upload' function in all versions up to and including 1.6.20. This allows unauthenticated attackers to upload arbitrary files on the affected site's server.
CVE-2026-37541 describes a buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) version 3.3.005. Improper validation of the length field in GVRET binary data allows remote attackers to cause a denial of service or potentially execute arbitrary code via crafted GVRET frames.
CVE-2026-37539 describes a buffer overflow vulnerability in version 2.0.0 of the cannelloni software occurring during CAN frame parsing in the parseCANFrame and decodeFrame functions. This allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted CAN FD frames.

