CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-57334
Medium

The WP User Frontend plugin versions up to 4.3.7 contain a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to functions intended for authenticated users.

CVE-2026-57333
High

The Link Whisper Free plugin version 0.9.4 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57332
High

The Wallet System for WooCommerce plugin version 2.7.6 and earlier contains a broken access control vulnerability for subscribers. This allows users with the subscriber role to perform operations they should not be authorized for.

CVE-2026-57331
Critical

The Performer Arbitrary File Deletion vulnerability in Paid Videochat Turnkey Site versions up to 7.4.8 allows an attacker to delete arbitrary files on the server. This flaw can be exploited to remove critical system or application files.

CVE-2026-57330
Medium

A Cross Site Scripting (XSS) vulnerability in MasterStudy LMS plugin version 3.7.27 and earlier allows an attacker with subscriber role to inject malicious script. This can lead to session theft or redirection to a malicious site.

CVE-2026-57329
Medium

The WooCommerce Designer Pro plugin version 1.9.34 and earlier contains a Cross Site Scripting (XSS) vulnerability exploitable by subscribers. It allows an attacker with subscriber role to inject malicious JavaScript code into the page.

CVE-2026-57328
Medium

The Business Directory plugin version 6.4.22 and earlier is vulnerable to Cross Site Scripting (XSS) from a subscriber level. An authenticated subscriber can inject malicious JavaScript code.

CVE-2026-57327
Medium

The MainWP plugin for WordPress versions 6.1.1 and earlier contains a broken access control vulnerability exploitable by subscribers. A user with the subscriber role can gain unauthorized access to functions intended for administrators.

CVE-2026-57326
Medium

The Business Directory plugin version 6.4.22 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-57320
High

An unauthenticated Cross Site Scripting (XSS) vulnerability exists in BEAR versions 1.1.8 and earlier. It allows a remote attacker to inject malicious JavaScript code into the page without requiring authentication.

CVE-2026-56290
CriticalActively exploitedEPSS 50%

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full remote code execution (RCE).

CVE-2026-56124
High

phpUploader before version 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

CVE-2026-55844
High

The Home Assistant iOS companion app ignores the SSID allowlist for internal networks. When no other URL is found, it falls back to the internal URL, potentially exposing the user's token on an unsecured network.

CVE-2026-55607
High

A vulnerability in Claude Code (versions 2.1.38 through 2.1.163) allows worktree manipulation attacks, including creating worktrees named ".git" and navigating outside the sandbox. An attacker can overwrite files in the user's home directory (e.g., .zshenv), leading to code execution outside seatbelt sandbox restrictions.

CVE-2026-49049
High

The Helix3 plugin for Joomla! exposes an AJAX handler task that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters.

CVE-2026-46406
Medium

Claude Code versions 2.1.59 through 2.1.128 write responses from the /copy command to /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file is created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which may contain secrets or credentials.

CVE-2026-13579
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /patientchangepassword.php file. By manipulating the newpassword argument, an attacker can remotely execute unauthorized database queries. The exploit has been made public, increasing the risk of attacks.

CVE-2026-13578
Medium

A SQL injection vulnerability has been discovered in itsourcecode Hospital Management System 1.0 in the /patientdetail.php file. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit has been publicly released.

CVE-2026-13574
Low

A vulnerability was found in LLVM up to version 22.1.6 in the GCRelocateInst::getBasePtr function within IntrinsicInst.cpp, which handles Bitcode files. Manipulation of input data can cause a heap-based buffer overflow. The attack requires local access, and the exploit has been publicly disclosed, although LLVM authors question whether this is a genuine security vulnerability.

CVE-2026-13573
Low

A stack-based buffer overflow vulnerability exists in the LLVM library in the llvm::StringMap::insert function within ValueSymbolTable.cpp. The issue affects versions up to 22.1.6 and requires local access to exploit.

PreviousPage 118 of 4530Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS