CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-0824
Low

Hitachi Virtual Storage Platform One Block 23, 24, 26, 28 lack firmware update validation. This issue affects versions before DKCMAIN A3-04-21-40/00 and ESM A3-04-21/00.

CVE-2026-53325
Medium

In the Linux kernel AMD64 AGP driver, a vulnerability was found due to incorrect error checking of the return value from cache_nbs(). When no physical AMD northbridge is present (e.g., in virtualized environments), the function returns -ENODEV, but the code only checks for -1, masking the error and leading to a NULL pointer dereference in amd64_fetch_size().

CVE-2026-13538
MediumEPSS 67%

A command injection vulnerability was found in Wavlink WL-NU516U1-A firmware version M16U1_V240425. The issue is in the sub_401D68 function of the /cgi-bin/wireless.cgi file, where the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters are improperly handled. Remote exploitation is possible, and the exploit has been publicly disclosed.

CVE-2026-13537
Medium

A cross-site request forgery (CSRF) vulnerability was found in CodeAstro Human Resource Management System 1.0. An unknown function allows remote attackers to perform unauthorized actions on behalf of an authenticated user. The exploit has been made public and could be used.

CVE-2026-13536
Medium

A cross-site scripting vulnerability was found in GotoHTTP up to version 10.2 in the /reg.12x file via the sn parameter. The attack can be performed remotely and the exploit details have been publicly disclosed.

CVE-2026-13535
Medium

A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the GetFileInfo function of Employee_model.php. Manipulating the ID argument in the view endpoint allows remote attack. The exploit has been published and may be used.

CVE-2026-13534
Medium

In CherryHQ cherry-studio up to version 1.9.7, a vulnerability was found in the sha256 function of the MemoryService.ts file in the CherryIN Preload API component. Manipulation of the state argument leads to authorization bypass.

CVE-2026-13533
Medium

A security vulnerability in Cockpit CMS up to version 0.12.2 affects the Spyc::YAMLLoad function in the /config/config.yaml file of the htaccess Handler component. This manipulation leads to unauthorized access to files or directories. The attack can be launched remotely and the exploit has been publicly disclosed.

CVE-2026-13532
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the file /departmentDoctor.php. An attacker can remotely manipulate the deptid argument, leading to unauthorized database access. The exploit has been made public, increasing the risk of attacks.

CVE-2026-13531
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /department.php file. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit has been publicly released.

CVE-2026-13530
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentdetail.php. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-13529
Medium

A SQL injection vulnerability was found in YzmCMS up to version 7.5 in the file /application/install/index.php. The attack involves manipulating the siteurl argument and can be executed remotely, though it is considered difficult to exploit. The exploit has been publicly disclosed.

CVE-2026-13528
High

A path traversal vulnerability was found in ruoyi-vue-pro up to version 2026.04-jdk8-SNAPSHOT in the generateUploadPath function of FileServiceImpl.java. An attacker can remotely manipulate the file path, leading to unauthorized access to resources.

CVE-2026-13527
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the file /preview4.php. An unknown function improperly handles the course_year_section argument, allowing an attacker to inject SQL code. The attack can be launched remotely and exploit details have been publicly disclosed.

CVE-2026-13526
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_class.php file via the ID parameter. The attack can be performed remotely and the exploit has been published.

CVE-2026-13525
Medium

A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the emselectByCode function of Employee_model.php. The attack manipulates the emid argument in the Update_Earn_Leave endpoint. It can be exploited remotely and the exploit is publicly available.

CVE-2026-13524
Medium

A vulnerability was found in CherryHQ cherry-studio up to version 1.9.6 in the MCP OAuth Local Callback Server component. Manipulation of the 'code' argument in callback.ts leads to improper authorization. The attack can be initiated remotely but is considered difficult to exploit.

CVE-2026-13523
Low

A weakness in the ISOBMFF Parser component of GPAC up to version 26.02.0 affects the file src/utils/base_encoding.c. A local attacker can trigger manipulation leading to highly compressed data, potentially causing uncontrolled data expansion after decompression. A public exploit increases the risk of attacks.

CVE-2026-13522
Medium

A security flaw has been discovered in SlimPDFReader up to version 2.0.14 in the function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 of SlimPDFReader.exe. Manipulation leads to an out-of-bounds read. The attack can be initiated remotely.

CVE-2026-13521
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0/5.php in the file /preview5.php. An attacker can remotely manipulate the course_year_section argument, leading to SQL injection. The exploit is publicly available.

PreviousPage 112 of 4499Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS