CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A security vulnerability in Cockpit CMS up to version 0.12.2 affects the Spyc::YAMLLoad function in the /config/config.yaml file of the htaccess Handler component. This manipulation leads to unauthorized access to files or directories. The attack can be launched remotely and the exploit has been publicly disclosed.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the file /departmentDoctor.php. An attacker can remotely manipulate the deptid argument, leading to unauthorized database access. The exploit has been made public, increasing the risk of attacks.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /department.php file. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit has been publicly released.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentdetail.php. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit is publicly available.
A SQL injection vulnerability was found in YzmCMS up to version 7.5 in the file /application/install/index.php. The attack involves manipulating the siteurl argument and can be executed remotely, though it is considered difficult to exploit. The exploit has been publicly disclosed.
A path traversal vulnerability was found in ruoyi-vue-pro up to version 2026.04-jdk8-SNAPSHOT in the generateUploadPath function of FileServiceImpl.java. An attacker can remotely manipulate the file path, leading to unauthorized access to resources.
A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the file /preview4.php. An unknown function improperly handles the course_year_section argument, allowing an attacker to inject SQL code. The attack can be launched remotely and exploit details have been publicly disclosed.
A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_class.php file via the ID parameter. The attack can be performed remotely and the exploit has been published.
A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the emselectByCode function of Employee_model.php. The attack manipulates the emid argument in the Update_Earn_Leave endpoint. It can be exploited remotely and the exploit is publicly available.
A vulnerability was found in CherryHQ cherry-studio up to version 1.9.6 in the MCP OAuth Local Callback Server component. Manipulation of the 'code' argument in callback.ts leads to improper authorization. The attack can be initiated remotely but is considered difficult to exploit.
A weakness in the ISOBMFF Parser component of GPAC up to version 26.02.0 affects the file src/utils/base_encoding.c. A local attacker can trigger manipulation leading to highly compressed data, potentially causing uncontrolled data expansion after decompression. A public exploit increases the risk of attacks.
A security flaw has been discovered in SlimPDFReader up to version 2.0.14 in the function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 of SlimPDFReader.exe. Manipulation leads to an out-of-bounds read. The attack can be initiated remotely.
A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0/5.php in the file /preview5.php. An attacker can remotely manipulate the course_year_section argument, leading to SQL injection. The exploit is publicly available.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentapproval.php. The Appointment Handler component improperly handles the editid argument, allowing SQL injection. The attack can be performed remotely and the exploit has been publicly disclosed.
A vulnerability was found in Tenda JD12L firmware version 16.03.53.23, involving a stack-based buffer overflow in the fromNatStaticSetting function of the /goform/NatStaticSetting file. An attacker can remotely manipulate the page argument, causing a buffer overflow. The exploit has been made public and could be used.
A stack-based buffer overflow vulnerability was discovered in Tenda JD12L firmware version 16.03.53.23 within the fromAddressNat function of the /goform/addressNat file. An attacker can remotely exploit this by manipulating the page argument. Exploit details have been publicly disclosed.
A stack-based buffer overflow vulnerability has been found in Tenda JD12L firmware version 16.03.53.23 in the formWifiBasicSet function of the /goform/WifiBasicSet file. An attacker can remotely exploit this flaw by manipulating the security_5g argument, potentially leading to arbitrary code execution.
A vulnerability was detected in Tenda JD12L 16.03.53.23, involving a stack-based buffer overflow in the fromSetWifiGusetBasic function of the /goform/WifiGuestSet file. An attacker can remotely exploit this by manipulating the shareSpeed argument.
A stack-based buffer overflow vulnerability has been detected in Tenda JD12L firmware version 16.03.53.23 in the formSetPPTPServer function of the /goform/SetPptpServerCfg file. Manipulation of the startIp argument allows remote exploitation. The exploit has been publicly disclosed and may be used.
A weakness has been identified in Chess Play and Learn App up to version 4.9.42 on Android, involving processing of AndroidManifest.xml in the com.chess component. This manipulation leads to exposure of backup file to an unauthorized control sphere. The attack requires physical access to the device.

