CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A cross-site scripting vulnerability was found in Project Management System 1.0 in the /mail.php file (Mail Compose Page). The attack can be performed remotely and exploit details are publicly available.
A path traversal vulnerability was found in ANTLR4 up to version 4.13.2 in the getImportedVocabFile function of TokenVocabParser.java. The attack can be executed remotely and the exploit is publicly available.
A time-of-check time-of-use (TOCTOU) vulnerability has been found in ANTLR4 up to version 4.13.2 in the ObjectInputStream.readObject function of the GrammarDependencies.java file in the Maven Plugin component. The attack requires local access and is difficult to exploit, but an exploit has been published.
A vulnerability was found in ANTLR4 up to 4.13.2, affecting the GoTarget function in GoTarget.java. A local attacker can inject commands via the gofmt component, leading to unauthorized operations.
A vulnerability has been found in ANTLR4 up to version 4.13.2 in the grammar action block handler function within OutputFile.java. Input manipulation can lead to remote code injection. A public exploit is available for attacks.
A stored XSS vulnerability was found in the yashpokharna2555 restaurant management system in login_register.php. Manipulating the Username parameter in the Registration Handler allows remote script execution. The exploit is public and the vendor has not responded.
SQL Injection vulnerability in yashpokharna2555 restaurant-management-system. An attacker can remotely manipulate the 'email' argument in /forgotpassword.php, leading to SQL injection. Exploit is publicly available.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointment.php. An unknown function mishandles the editid argument, allowing remote SQL injection. The exploit has been publicly disclosed and may be used.
A SQL injection vulnerability was found in Hospital Management System 1.0 in the file /ajaxmedicine.php. An attacker can remotely manipulate the medicineid argument, leading to SQL injection. The exploit has been made public, increasing the attack risk.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /adminprofile.php. An attacker can remotely manipulate the loginid argument, leading to SQL injection.
A flaw has been found in ComfyUI-Copilot up to version 2.0.28 in the Workflow Checkpoint Restore Handler. The issue involves improper control of resource identifiers due to unknown processing in backend/controller/conversation_api.py. The attack can be performed remotely but is difficult due to high complexity.
A vulnerability was found in the MQTT Goodbye Handler component in file main/protocols/mqtt_protocol.cc of xiaozhi-esp32 up to version 2.2.6. Manipulation of the session_id argument in the Application::GetInstance function leads to a denial of service. The attack is remote but requires high complexity.
A security vulnerability has been detected in GLPI versions 11.0.5, 11.0.6, and 11.0.7 in the Document Handler component. The function Document::canViewFile in front/document.send.php improperly validates the docid argument, leading to authorization bypass. The attack can be executed remotely but is difficult to exploit due to high complexity.
A weakness has been identified in the MCP Response Handler component of 78 xiaozhi-esp32 up to version 2.2.6, involving improper synchronization in the ParseMessage function of main/mcp_server.cc. Remote exploitation is possible but considered difficult due to high attack complexity.
A SQL injection vulnerability has been discovered in SourceCodester Class and Exam Timetabling System 1.0/7.php in the file /preview7.php. Manipulation of the course_year_section argument allows remote exploitation. The exploit has been publicly released and may be used in attacks.
A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /archive.php file via the sy argument. The attack can be performed remotely and the exploit is publicly available.
A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /preview6.php file. Manipulation of the course_year_section argument allows remote attack. The exploit has been publicly disclosed.
A SQL injection vulnerability was discovered in SourceCodester Class and Exam Timetabling System 1.0 in the /preview.php file. An attacker can remotely manipulate the course_year_section argument, leading to SQL injection. The exploit has been made public, increasing the risk of exploitation.
In MLflow up to version 4666cffc7912ea606d592fc38d6a75e2935f65e7, a missing authorization vulnerability was found in the Experiment-scoped Label Schema CRUD API. This flaw allows remote manipulation of data without proper authentication, though exploitation is difficult due to high attack complexity.
A vulnerability has been found in arc53 DocsGPT up to version 0.18.0 in the encrypt_credentials function within application/security/encryption.py. It involves insufficient verification of data authenticity, potentially allowing remote attacks. Although the exploit is difficult, it has been published and may be used.

