CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A stack-based buffer overflow vulnerability was found in Wavlink WL-NU516U1-A firmware M16U1_V240425 in the sub_407504 function of /cgi-bin/wireless.cgi. Manipulation of the Guest_ssid argument in the POST Parameter Handler allows remote code execution. The exploit is publicly available.
The APCu Manager WordPress plugin before version 4.5.0 fails to escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. Cache keys derived from unsanitized user input (e.g., a transient name created by an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.
Information exposure vulnerability in Hitachi Storage Navigator. This flaw affects multiple Hitachi Virtual Storage Platform models before specific DKCMAIN and SVP software versions.
An improper authorization vulnerability has been discovered in the maintenance utility of Hitachi Virtual Storage Platform systems. This flaw allows unauthorized access to maintenance functions, potentially compromising data integrity and confidentiality.
Hitachi Virtual Storage Platform One Block 23, 24, 26, 28 lack firmware update validation. This issue affects versions before DKCMAIN A3-04-21-40/00 and ESM A3-04-21/00.
In the Linux kernel AMD64 AGP driver, a vulnerability was found due to incorrect error checking of the return value from cache_nbs(). When no physical AMD northbridge is present (e.g., in virtualized environments), the function returns -ENODEV, but the code only checks for -1, masking the error and leading to a NULL pointer dereference in amd64_fetch_size().
A command injection vulnerability was found in Wavlink WL-NU516U1-A firmware version M16U1_V240425. The issue is in the sub_401D68 function of the /cgi-bin/wireless.cgi file, where the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters are improperly handled. Remote exploitation is possible, and the exploit has been publicly disclosed.
A cross-site request forgery (CSRF) vulnerability was found in CodeAstro Human Resource Management System 1.0. An unknown function allows remote attackers to perform unauthorized actions on behalf of an authenticated user. The exploit has been made public and could be used.
A cross-site scripting vulnerability was found in GotoHTTP up to version 10.2 in the /reg.12x file via the sn parameter. The attack can be performed remotely and the exploit details have been publicly disclosed.
A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the GetFileInfo function of Employee_model.php. Manipulating the ID argument in the view endpoint allows remote attack. The exploit has been published and may be used.
In CherryHQ cherry-studio up to version 1.9.7, a vulnerability was found in the sha256 function of the MemoryService.ts file in the CherryIN Preload API component. Manipulation of the state argument leads to authorization bypass.
A security vulnerability in Cockpit CMS up to version 0.12.2 affects the Spyc::YAMLLoad function in the /config/config.yaml file of the htaccess Handler component. This manipulation leads to unauthorized access to files or directories. The attack can be launched remotely and the exploit has been publicly disclosed.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the file /departmentDoctor.php. An attacker can remotely manipulate the deptid argument, leading to unauthorized database access. The exploit has been made public, increasing the risk of attacks.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /department.php file. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit has been publicly released.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentdetail.php. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit is publicly available.
A SQL injection vulnerability was found in YzmCMS up to version 7.5 in the file /application/install/index.php. The attack involves manipulating the siteurl argument and can be executed remotely, though it is considered difficult to exploit. The exploit has been publicly disclosed.
A path traversal vulnerability was found in ruoyi-vue-pro up to version 2026.04-jdk8-SNAPSHOT in the generateUploadPath function of FileServiceImpl.java. An attacker can remotely manipulate the file path, leading to unauthorized access to resources.
A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the file /preview4.php. An unknown function improperly handles the course_year_section argument, allowing an attacker to inject SQL code. The attack can be launched remotely and exploit details have been publicly disclosed.
A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_class.php file via the ID parameter. The attack can be performed remotely and the exploit has been published.
A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the emselectByCode function of Employee_model.php. The attack manipulates the emid argument in the Update_Earn_Leave endpoint. It can be exploited remotely and the exploit is publicly available.

