CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to and including 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function.
The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to and including 2.0.7. This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data.
An incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If exploited, arbitrary code may be executed with SYSTEM privileges.
The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.2. The issue arises from the static_block_content() shortcode handler not verifying the post's status and the user's capabilities.
On Xtensa systems with CONFIG_USERSPACE and CONFIG_XTENSA_MMU enabled, there is an issue with managing the list of active memory domains. After a domain is destroyed, a pointer to it remains in the global list, leading to dereferencing a NULL pointer or use-after-free, which can result in page-table memory corruption.
Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges.
The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action, allowing unauthenticated attackers to obtain the Zoom SDK API key and a freshly-signed JWT.
A use-after-free vulnerability was found in the GnuTLS library in the `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN. The flaw occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.
A flaw was found in the MP3 Extractor `tracker-extract-mp3` component of GNOME localsearch, allowing for a buffer overflow. A remote attacker could exploit this vulnerability by providing a specially crafted MP3 file with malformed ID3 tags.
A flaw was found in GNOME localsearch (previously known as tracker-miners) in the MP3 Extractor component, which involves a heap buffer overflow. This issue occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM tags.
A flaw in the `tracker-extract-mp3` component of GNOME localsearch leads to a heap buffer overflow when processing specially crafted MP3 files. A remote attacker could exploit this by providing a malicious MP3 file, resulting in application crashes.
A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the `extract_performers_tags` function can lead to a heap buffer overflow.
Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain.
The Canon EOS Network Setting Tool version 1.5.0 or earlier uses a non-secure protocol as the default FTP configuration. This may lead to unauthorized access to data transmitted via FTP.
The Canon EOS Network Setting Tool version 1.5.0 and earlier uses weak SSH cryptographic algorithms, which may lead to potential security threats.
The Canon EOS Network Setting Tool version 1.5.0 and earlier uses hard-coded cryptographic keys, which may lead to unauthorized access to data.
The Canon EOS Network Setting Tool version 1.5.0 or earlier has improper validation of server certificates. This can lead to man-in-the-middle attacks.
The Canon EOS Network Setting Tool version 1.5.0 or earlier has improper validation of SSH host keys.
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data, an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser.
Welcart e-Commerce versions up to 2.11.28 have an issue with unauthenticated access that can lead to broken access control.

