CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Versions of Tutor LMS up to 3.9.7 have an issue with unauthenticated access that can lead to broken access control.
There is a broken access control issue in Ultra Addons for WPForms versions <= 1.0.11 that may allow unauthorized users to access subscriber resources.
RepairBuddy versions up to 4.1132 have a broken access control issue that may allow subscribers unauthorized access to resources.
There is a Cross Site Scripting (XSS) vulnerability in Shipment Tracker for Woocommerce versions up to 1.5.3.2 affecting subscribers.
WpStream versions below 4.11.2 have a vulnerability allowing subscribers to upload arbitrary files.
Booking Activities versions up to 1.16.48.1 have a vulnerability in access control that allows unauthorized access.
Versions of the engine below 1.4.107 have a broken access control issue for subscribers, which may lead to unauthorized access to resources.
There is a Cross Site Scripting (XSS) vulnerability for subscribers in JupiterX Core versions <= 4.14.1.
In Download Monitor versions <= 5.1.9, there is a vulnerability that allows unauthorized users to download arbitrary files.
In Meta Box, a WordPress custom fields framework, there is a vulnerability allowing arbitrary file deletion by a contributor in versions up to 5.11.1.
The WP Google Review Slider plugin versions up to 18.0 contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.
There is a broken access control issue in Rank Math SEO versions up to 1.0.271 that may allow unauthorized users to access subscription features.
Unauthenticated Broken Access Control exists in Essential Addons for Elementor versions below 6.6.0.
There is a broken access control issue in Bookify versions up to 1.1.1 that may allow subscribers unauthorized access to resources.
Versions of bunny.net up to 2.3.6 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.
PopAd versions up to 1.0.4 contain a Server Side Request Forgery (SSRF) vulnerability that can be exploited by an attacker to send unauthorized requests from the server.
Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing.
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
In Nginx Proxy Manager v2.14.0, incorrect access control in the 'Let's Encrypt' certificate download endpoint allows authenticated attackers to obtain TLS private key material via a crafted GET request.
A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

