CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-5137
Medium

The RTMKit (rometheme-for-elementor) plugin for WordPress up to version 2.0.7 is vulnerable to Local File Inclusion (LFI). This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization.

CVE-2026-4322
Medium

The Destekz plugin from Raera - Ankara Web Design and Digital Advertising Agency contains a reflected XSS vulnerability due to improper input neutralization during page generation. This affects versions up to 02062026, and the product is no longer supported by the vendor.

CVE-2026-4321
Critical

An SQL injection vulnerability in Destekz by Raera - Ankara Web Design and Digital Advertising Agency allows an attacker to inject malicious SQL code. The issue affects all versions up to 02062026. The vendor confirmed the product is no longer supported.

CVE-2026-9756
Medium

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.

CVE-2026-4804
Medium

The Zakra theme for WordPress up to version 4.2.0 is vulnerable to Stored Cross-Site Scripting. The lack of sanitization for post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, zakra_menu_item_active_color) via the REST API allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts that execute when users visit the affected page.

CVE-2026-47896
High

A Path Traversal vulnerability in the Apache Lucene.Net.Replicator library allows unrestricted file reading outside the restricted directory. Affected versions are from 4.8.0-beta00005 through 4.8.0-beta00017.

CVE-2026-35159
Medium

A vulnerability in Dell Client Platform BIOS allows authentication bypass due to a primary weakness. An unauthenticated attacker with physical access could potentially exploit this flaw, leading to information disclosure.

CVE-2026-11900
Medium

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress up to version 2.8.16 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'data' attribute of the [adinserter] shortcode. The replace_ai_tags() function processes a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying user capabilities with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This allows authenticated attackers with Contributor-level access and above to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.

CVE-2026-11778
Medium

The CURCY – Multi Currency for WooCommerce plugin for WordPress up to version 2.2.14 is vulnerable to arbitrary shortcode execution by unauthenticated attackers. This is due to insufficient validation before passing a value to the do_shortcode function.

CVE-2026-11398
Medium

The LatePoint plugin for WordPress, up to version 5.6.1, has an authorization bypass vulnerability. Unauthenticated attackers can modify personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including administrator accounts, by submitting the booking form with a known email address. Exploitation requires guest bookings to be enabled.

CVE-2026-9230
Medium

The Quiz and Survey Master (QSM) plugin for WordPress up to version 11.1.4 is vulnerable to authorization bypass. Authenticated attackers with contributor-level access or higher can modify quizzes they do not own, overwrite result pages, and redirect notification emails to attacker-controlled addresses.

CVE-2026-9148
High

The Comments – wpDiscuz plugin for WordPress up to version 7.6.56 is vulnerable to Stored Cross-Site Scripting. This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). Unauthenticated attackers can inject arbitrary web scripts that execute whenever a user accesses an injected page.

CVE-2026-8804
Medium

A vulnerability in Puppet resource_api (shipped with Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) fails to preserve the sensitive flag on parameters defined via the resource-api, causing values like passwords to be stored in cleartext in the agent's local transaction state cache.

CVE-2026-8351
Medium

The RTMKit plugin for WordPress up to version 2.0.7 is vulnerable to Stored Cross-Site Scripting in the Advanced Heading widget due to insufficient output escaping of the 'Background Text' parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users visit the page.

CVE-2026-47898
Medium

An XML External Entity (XXE) vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library). Affects versions from 4.8.0-beta00005 up to 4.8.0-beta00017.

CVE-2026-47897
High

A Path Traversal vulnerability in the Lucene.Net.Replicator library allows unauthorized access to files outside the restricted directory. The issue affects versions from 4.8.0-beta00005 up to 4.8.0-beta00017.

CVE-2026-14544
Critical

A flaw was found in HPLIP (HP Linux Imaging and Printing Software) as an incomplete fix for CVE-2026-8631. This vulnerability may allow a remote attacker to escalate privileges or achieve arbitrary code execution through an integer overflow in the hpcups processing path when handling specially crafted print data.

CVE-2026-9547
Unknown

A vulnerability in libcurl causes applications using SCP or SFTP transfers with the CURLOPT_SSH_KEYFUNCTION callback to silently accept untrusted servers. When a server presents a host key type that does not match the recorded key in the known_hosts file, the callback mechanism fails to enforce rejection, allowing the connection to succeed without warning.

CVE-2026-9546
Unknown

A vulnerability in libcurl causes the HTTP `Referer:` header to persist even when explicitly cleared. According to the documentation, passing NULL to `CURLOPT_REFERER` should suppress the header, but the option fails to clear the internal state. As a result, the previous referrer string is erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.

CVE-2026-9545
Unknown

A vulnerability in libcurl allows sending request data before SSL/TLS certificate verification when using cached SSL sessions and early data enabled during HTTP/3 transitions. An attacker can replace the server with an unauthorized machine lacking a valid certificate, potentially leaking sensitive information.

PreviousPage 10 of 4412Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS