CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-13529
Medium

A SQL injection vulnerability was found in YzmCMS up to version 7.5 in the file /application/install/index.php. The attack involves manipulating the siteurl argument and can be executed remotely, though it is considered difficult to exploit. The exploit has been publicly disclosed.

CVE-2026-13528
High

A path traversal vulnerability was found in ruoyi-vue-pro up to version 2026.04-jdk8-SNAPSHOT in the generateUploadPath function of FileServiceImpl.java. An attacker can remotely manipulate the file path, leading to unauthorized access to resources.

CVE-2026-13527
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the file /preview4.php. An unknown function improperly handles the course_year_section argument, allowing an attacker to inject SQL code. The attack can be launched remotely and exploit details have been publicly disclosed.

CVE-2026-13526
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_class.php file via the ID parameter. The attack can be performed remotely and the exploit has been published.

CVE-2026-13525
Medium

A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the emselectByCode function of Employee_model.php. The attack manipulates the emid argument in the Update_Earn_Leave endpoint. It can be exploited remotely and the exploit is publicly available.

CVE-2026-13524
Medium

A vulnerability was found in CherryHQ cherry-studio up to version 1.9.6 in the MCP OAuth Local Callback Server component. Manipulation of the 'code' argument in callback.ts leads to improper authorization. The attack can be initiated remotely but is considered difficult to exploit.

CVE-2026-13523
Low

A weakness in the ISOBMFF Parser component of GPAC up to version 26.02.0 affects the file src/utils/base_encoding.c. A local attacker can trigger manipulation leading to highly compressed data, potentially causing uncontrolled data expansion after decompression. A public exploit increases the risk of attacks.

CVE-2026-13522
Medium

A security flaw has been discovered in SlimPDFReader up to version 2.0.14 in the function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 of SlimPDFReader.exe. Manipulation leads to an out-of-bounds read. The attack can be initiated remotely.

CVE-2026-13521
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0/5.php in the file /preview5.php. An attacker can remotely manipulate the course_year_section argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-13520
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentapproval.php. The Appointment Handler component improperly handles the editid argument, allowing SQL injection. The attack can be performed remotely and the exploit has been publicly disclosed.

CVE-2026-13519
High

A vulnerability was found in Tenda JD12L firmware version 16.03.53.23, involving a stack-based buffer overflow in the fromNatStaticSetting function of the /goform/NatStaticSetting file. An attacker can remotely manipulate the page argument, causing a buffer overflow. The exploit has been made public and could be used.

CVE-2026-13518
High

A stack-based buffer overflow vulnerability was discovered in Tenda JD12L firmware version 16.03.53.23 within the fromAddressNat function of the /goform/addressNat file. An attacker can remotely exploit this by manipulating the page argument. Exploit details have been publicly disclosed.

CVE-2026-13517
High

A stack-based buffer overflow vulnerability has been found in Tenda JD12L firmware version 16.03.53.23 in the formWifiBasicSet function of the /goform/WifiBasicSet file. An attacker can remotely exploit this flaw by manipulating the security_5g argument, potentially leading to arbitrary code execution.

CVE-2026-13516
High

A vulnerability was detected in Tenda JD12L 16.03.53.23, involving a stack-based buffer overflow in the fromSetWifiGusetBasic function of the /goform/WifiGuestSet file. An attacker can remotely exploit this by manipulating the shareSpeed argument.

CVE-2026-13515
High

A stack-based buffer overflow vulnerability has been detected in Tenda JD12L firmware version 16.03.53.23 in the formSetPPTPServer function of the /goform/SetPptpServerCfg file. Manipulation of the startIp argument allows remote exploitation. The exploit has been publicly disclosed and may be used.

CVE-2026-13514
Low

A weakness has been identified in Chess Play and Learn App up to version 4.9.42 on Android, involving processing of AndroidManifest.xml in the com.chess component. This manipulation leads to exposure of backup file to an unauthorized control sphere. The attack requires physical access to the device.

CVE-2026-13513
Medium

A security flaw was discovered in MyScale MyScaleDB up to version 1.8.0 in the SegmentId::getCacheKey function within src/VectorIndex/Common/SegmentId.h. It involves insufficient verification of data authenticity, allowing remote attacks with high complexity. The exploit has been published, and a fix is pending acceptance.

CVE-2026-13512
Medium

A vulnerability was found in Databend up to version 1.2.881 on HTTP. The ClientSessionManager::state_key function in client_session_manager.rs allows authorization bypass. The attack can be performed remotely and the exploit is publicly available.

CVE-2026-13511
Low

A vulnerability was found in VoltAgent up to version 2.1.17 in the Memory REST API component. The function handleGetMemoryConversation in memory.handlers.ts improperly authorizes access after manipulation of the conversationId argument. The attack can be performed remotely but is difficult to exploit due to high complexity.

CVE-2026-13510
Low

A vulnerability was found in SimStudioAI sim up to version 0.6.92 in the password protection handler component (apps/sim/lib/core/security/deployment.ts). Manipulation leads to use of a weak hash, enabling a remote attack with high complexity. The exploit has been made public and a fix is pending.

PreviousPage 106 of 4456Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS