CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-14617
Low

A vulnerability has been detected in NousResearch hermes-agent up to version 2026.4.30. The issue is in the GatewayStreamConsumer._filter_and_accumulate function in gateway/stream_consumer.py, leading to improper handling of case sensitivity. The attack can be initiated remotely but is difficult to exploit.

CVE-2026-46466
Low

The vulnerability in Dell PowerProtect Data Domain involves the use of a less trusted source. It allows a high-privileged attacker with remote access to tamper with information.

CVE-2026-56085
Low

A vulnerability in Dell PowerProtect Data Domain involves the use of an uninitialized resource. A low-privileged attacker with local access could exploit this flaw, leading to information exposure.

CVE-2026-41124
Low

A path traversal vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with local access to bypass path restrictions and potentially disclose sensitive information.

CVE-2026-13743
Low

A vulnerability in CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 is due to improper verification of cryptographic signatures. This allows an attacker with physical access to upload arbitrary malicious firmware without authentication.

CVE-2026-53422
Low

An Observable Response Discrepancy vulnerability in the ssh_sftpd module of Erlang OTP SSH allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSH_FXP_REALPATH handler does not canonicalize the path before checking restrictions, enabling the use of '..' components to bypass validation and obtain information about the existence of paths on the filesystem.

CVE-2026-11781
Low

The Adminify WordPress plugin before version 4.2.10 fails to perform per-user read-capability checks in one of its administration search features, allowing low-privilege users (Contributor) to disclose non-public content such as other authors' unpublished post titles, pending comment content, plugin inventory, and user account names.

CVE-2026-11578
Low

The Fluent Forms WordPress plugin before version 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage. This allows a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration where an administrator has created at least one Manager restricted to specific forms.

CVE-2026-58036
Low

A vulnerability in MediaWiki allows unauthorized actors to access sensitive information through the files ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php.

CVE-2026-8387
Low

A vulnerability in allegroai/clearml versions up to 1.16.5 allows relative path traversal when extracting .zip archives using ZipFile.extractall() in StorageManager._extract_to_cache(). Lack of path validation enables arbitrary file writes.

CVE-2026-11880
Low

The Fluent Forms WordPress plugin before version 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with low privileges to cancel subscriptions belonging to other users.

CVE-2026-44042
Low

UltraVNC repeater through version 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In webutils.c:817, the wi_uudecode() function checks if input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). Currently, the risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.

CVE-2026-41579
Low

In runc prior to versions 1.3.6, 1.4.3, and 1.5.0, setupPtmx and setupDevSymlinks use filepath.Join with os.Remove and os.Symlink, allowing an image with /dev as a symlink to delete the ptmx file on the host or create symlinks in an arbitrary host directory. This is not exploitable under Docker, but other container tooling built on runc remains exposed.

CVE-2026-54898
Low

A heap use-after-free vulnerability exists in the C engine of the Oj (Optimized JSON) Ruby gem prior to version 3.17.2. The issue occurs when a SAJ/SAJ2 callback mutates the input JSON string during parsing, causing the internal buffer to be reallocated and leaving a dangling pointer.

CVE-2026-54897
Low

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby.

CVE-2026-54896
Low

A heap buffer overflow vulnerability was found in the Oj (Optimized JSON) library for Ruby when serializing Exception objects with a large :indent value. The issue affects versions prior to 3.17.2 and has been fixed in that version.

CVE-2026-56377
Low

A vulnerability in ImageMagick before version 7.1.2-24 allows attackers to bypass security policies and create or truncate files that should be blocked. The flaw is due to incorrect policy path validation, enabling file writes outside allowed boundaries.

CVE-2026-56369
Low

A vulnerability in ImageMagick before version 7.1.2-22 in the PasskeyEncipherImage method causes AES-CTR nonce reuse. Attackers can exploit this to recover plaintext from encrypted images.

CVE-2026-56365
Low

A memory leak vulnerability in ImageMagick before version 7.1.2-19 exists in the PNG encoder when writing MNG images. Attackers can trigger the encoder failure condition to exhaust memory resources and cause denial of service.

CVE-2026-56364
Low

A memory leak vulnerability in ImageMagick before version 7.1.2-13 exists in the LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service.

PreviousPage 1 of 60Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS