CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-40743
Medium

Versions of Tutor LMS up to 3.9.7 have an issue with unauthenticated access that can lead to broken access control.

CVE-2026-39594
Medium

There is a broken access control issue in Ultra Addons for WPForms versions <= 1.0.11 that may allow unauthorized users to access subscriber resources.

CVE-2026-39584
Medium

RepairBuddy versions up to 4.1132 have a broken access control issue that may allow subscribers unauthorized access to resources.

CVE-2026-39540
Medium

There is a Cross Site Scripting (XSS) vulnerability in Shipment Tracker for Woocommerce versions up to 1.5.3.2 affecting subscribers.

CVE-2026-39527
Medium

WpStream versions below 4.11.2 have a vulnerability allowing subscribers to upload arbitrary files.

CVE-2026-39525
Medium

Booking Activities versions up to 1.16.48.1 have a vulnerability in access control that allows unauthorized access.

CVE-2026-39515
Medium

Versions of the engine below 1.4.107 have a broken access control issue for subscribers, which may lead to unauthorized access to resources.

CVE-2026-39491
Medium

There is a Cross Site Scripting (XSS) vulnerability for subscribers in JupiterX Core versions <= 4.14.1.

CVE-2026-39489
Medium

In Download Monitor versions <= 5.1.9, there is a vulnerability that allows unauthorized users to download arbitrary files.

CVE-2026-39468
Medium

In Meta Box, a WordPress custom fields framework, there is a vulnerability allowing arbitrary file deletion by a contributor in versions up to 5.11.1.

CVE-2026-39451
Medium

The WP Google Review Slider plugin versions up to 18.0 contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.

CVE-2026-34892
Medium

There is a broken access control issue in Rank Math SEO versions up to 1.0.271 that may allow unauthorized users to access subscription features.

CVE-2026-25440
Medium

Unauthenticated Broken Access Control exists in Essential Addons for Elementor versions below 6.6.0.

CVE-2025-69332
Medium

There is a broken access control issue in Bookify versions up to 1.1.1 that may allow subscribers unauthorized access to resources.

CVE-2025-68049
Medium

Versions of bunny.net up to 2.3.6 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.

CVE-2025-60175
Medium

PopAd versions up to 1.0.4 contain a Server Side Request Forgery (SSRF) vulnerability that can be exploited by an attacker to send unauthorized requests from the server.

CVE-2026-52721
Medium

Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing.

CVE-2026-52718
Medium

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.

CVE-2026-50892
Medium

In Nginx Proxy Manager v2.14.0, incorrect access control in the 'Let's Encrypt' certificate download endpoint allows authenticated attackers to obtain TLS private key material via a crafted GET request.

CVE-2026-50876
Medium

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

PreviousPage 116 of 553Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS