CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in Safari and Apple systems allows a malicious website to process restricted web content outside the sandbox. The issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 with improved checks.
A cross-origin issue was addressed with improved tracking of security origins in Safari, iOS, iPadOS, and macOS Tahoe. Processing maliciously crafted web content may disclose sensitive user information. The fix is included in versions 26.5.2.
A use-after-free vulnerability in Safari, iOS, iPadOS, and macOS Tahoe could lead to an unexpected process crash when processing maliciously crafted web content. The issue was addressed with improved memory management.
An out-of-bounds access issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to an unexpected Safari crash.
A vulnerability in Safari and Apple systems may cause a process crash when processing maliciously crafted web content. The issue was fixed with improved memory handling.
A vulnerability in WebKit may lead to an unexpected process crash when processing maliciously crafted web content. The issue was addressed with improved memory handling. The fix is included in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2.
A vulnerability in Apple systems allows an app to cause unexpected system termination or corrupt kernel memory. The issue was addressed with improved input validation.
A vulnerability in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component. The issue stems from insufficient input validation or code injection protection.
A Cross-Site Request Forgery (CSRF) vulnerability has been found in Squidex CMS version 7.21.0 and earlier. An attacker can exploit the IdentityServer account profile endpoint to escalate privileges without the victim's knowledge.
An out-of-bounds access vulnerability in Safari and Apple systems allows processing maliciously crafted web content to cause an unexpected process crash. The issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2.
Inconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups.
Inconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected.
A memory leak vulnerability in CSS::Minifier::XS for Perl before version 0.14 occurs when minifying a document containing only characters to be removed, such as comments and whitespace.
This CVE entry has been rejected. It is a reservation duplicate of CVE-2026-57700 and should not be used.
A command injection vulnerability in luci-proto-openvpn through version 0.11.1 (fixed in commit e4ff45e) exists in the generateKey ubus method. The cl_meta parameter is interpolated into a shell command without proper escaping, allowing an authenticated LuCI user with OpenVPN protocol configuration access to execute arbitrary commands as root via the popen function.
A command injection vulnerability in luci-app-tailscale-commons allows authenticated users to execute arbitrary commands as root via the tailscale.do_login RPC method. The issue stems from improper quoting of the loginserver and loginserver_authkey parameters within a double-quoted shell command, enabling shell substitutions like $() to be evaluated.
A vulnerability in the mdex and mdex_native libraries allows an unauthenticated attacker to cause a denial of service via unbounded memory allocation. The parse_highlight_lines function in the LumisAdapter component expands a user-controlled line range from a fenced code block without an upper bound, allocating huge vectors. A payload with a range like 1-2000000000 can exhaust host memory and abort the BEAM process.
A cross-site scripting (XSS) vulnerability was found in the MDEx library due to improper input neutralization in Markdown processing. An attacker can inject arbitrary HTML/JavaScript that executes in the browser of every user viewing the rendered output.
A flaw was found in p11-kit where the RPC message attribute parsing functions lack a recursion depth limit when processing nested template attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a crafted request with deeply nested attributes, causing stack exhaustion and crashing the p11-kit server and its dependent services.
A vulnerability in Hi.Events through version 1.9.0 allows unauthenticated attackers to access full attendee lists, including emails and personal information, via public check-in list endpoints. By knowing the short_id, an attacker can read attendee data and create or delete check-in records without authentication.

