CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-13504
Low

A cross-site scripting vulnerability was found in Project Management System 1.0 in the /mail.php file (Mail Compose Page). The attack can be performed remotely and exploit details are publicly available.

CVE-2026-13503
Medium

A path traversal vulnerability was found in ANTLR4 up to version 4.13.2 in the getImportedVocabFile function of TokenVocabParser.java. The attack can be executed remotely and the exploit is publicly available.

CVE-2026-13502
Medium

A time-of-check time-of-use (TOCTOU) vulnerability has been found in ANTLR4 up to version 4.13.2 in the ObjectInputStream.readObject function of the GrammarDependencies.java file in the Maven Plugin component. The attack requires local access and is difficult to exploit, but an exploit has been published.

CVE-2026-13501
Medium

A vulnerability was found in ANTLR4 up to 4.13.2, affecting the GoTarget function in GoTarget.java. A local attacker can inject commands via the gofmt component, leading to unauthorized operations.

CVE-2026-13500
High

A vulnerability has been found in ANTLR4 up to version 4.13.2 in the grammar action block handler function within OutputFile.java. Input manipulation can lead to remote code injection. A public exploit is available for attacks.

CVE-2026-13499
Medium

A stored XSS vulnerability was found in the yashpokharna2555 restaurant management system in login_register.php. Manipulating the Username parameter in the Registration Handler allows remote script execution. The exploit is public and the vendor has not responded.

CVE-2026-13498
High

SQL Injection vulnerability in yashpokharna2555 restaurant-management-system. An attacker can remotely manipulate the 'email' argument in /forgotpassword.php, leading to SQL injection. Exploit is publicly available.

CVE-2026-13497
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointment.php. An unknown function mishandles the editid argument, allowing remote SQL injection. The exploit has been publicly disclosed and may be used.

CVE-2026-13496
Medium

A SQL injection vulnerability was found in Hospital Management System 1.0 in the file /ajaxmedicine.php. An attacker can remotely manipulate the medicineid argument, leading to SQL injection. The exploit has been made public, increasing the attack risk.

CVE-2026-13495
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /adminprofile.php. An attacker can remotely manipulate the loginid argument, leading to SQL injection.

CVE-2026-13493
Low

A flaw has been found in ComfyUI-Copilot up to version 2.0.28 in the Workflow Checkpoint Restore Handler. The issue involves improper control of resource identifiers due to unknown processing in backend/controller/conversation_api.py. The attack can be performed remotely but is difficult due to high complexity.

CVE-2026-13491
Low

A vulnerability was found in the MQTT Goodbye Handler component in file main/protocols/mqtt_protocol.cc of xiaozhi-esp32 up to version 2.2.6. Manipulation of the session_id argument in the Application::GetInstance function leads to a denial of service. The attack is remote but requires high complexity.

CVE-2026-13490
Low

A security vulnerability has been detected in GLPI versions 11.0.5, 11.0.6, and 11.0.7 in the Document Handler component. The function Document::canViewFile in front/document.send.php improperly validates the docid argument, leading to authorization bypass. The attack can be executed remotely but is difficult to exploit due to high complexity.

CVE-2026-13489
Low

A weakness has been identified in the MCP Response Handler component of 78 xiaozhi-esp32 up to version 2.2.6, involving improper synchronization in the ParseMessage function of main/mcp_server.cc. Remote exploitation is possible but considered difficult due to high attack complexity.

CVE-2026-13488
High

A SQL injection vulnerability has been discovered in SourceCodester Class and Exam Timetabling System 1.0/7.php in the file /preview7.php. Manipulation of the course_year_section argument allows remote exploitation. The exploit has been publicly released and may be used in attacks.

CVE-2026-13487
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /archive.php file via the sy argument. The attack can be performed remotely and the exploit is publicly available.

CVE-2026-13486
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /preview6.php file. Manipulation of the course_year_section argument allows remote attack. The exploit has been publicly disclosed.

CVE-2026-13485
High

A SQL injection vulnerability was discovered in SourceCodester Class and Exam Timetabling System 1.0 in the /preview.php file. An attacker can remotely manipulate the course_year_section argument, leading to SQL injection. The exploit has been made public, increasing the risk of exploitation.

CVE-2026-13484
Medium

In MLflow up to version 4666cffc7912ea606d592fc38d6a75e2935f65e7, a missing authorization vulnerability was found in the Experiment-scoped Label Schema CRUD API. This flaw allows remote manipulation of data without proper authentication, though exploitation is difficult due to high attack complexity.

CVE-2026-13483
Low

A vulnerability has been found in arc53 DocsGPT up to version 0.18.0 in the encrypt_credentials function within application/security/encryption.py. It involves insufficient verification of data authenticity, potentially allowing remote attacks. Although the exploit is difficult, it has been published and may be used.

PreviousPage 111 of 4494Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS