CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-45436
Medium

There is a broken access control issue in WPBakery Page Builder versions up to 8.7.2 that may allow unauthorized users to access subscriber resources.

CVE-2026-44587
Medium

In the CarrierWave framework, versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to properly handle regex metacharacters in string entries, leading to intended content types not being blocked. As a result, applications may be vulnerable to XSS attacks through uploading SVG files containing malicious JavaScript.

CVE-2026-42357
Medium

The Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

CVE-2026-41280
Medium

The Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects.

CVE-2026-40724
Medium

CP Client Portal (Pro) versions up to 5.6.2 have a vulnerability that allows unauthorized users to download arbitrary files.

CVE-2026-40723
Medium

Bricks Builder versions up to 2.1.4 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.

CVE-2026-40722
Medium

A missing authorization vulnerability in Yoast SEO Premium allows exploiting incorrectly configured access control security levels.

CVE-2026-39595
Medium

W3 Total Cache versions up to 2.9.1 contain a broken access control vulnerability, potentially allowing unauthorized access to resources.

CVE-2026-39578
Medium

There is an unauthenticated PHP Object Injection vulnerability in Valiance <= 1.2 versions.

CVE-2026-39577
Medium

Playroom versions up to 1.4.1 are vulnerable to unauthenticated PHP object injection.

CVE-2026-39433
Medium

In WPAMS versions below 49.5.3, there is a vulnerability that allows subscribers to delete arbitrary content.

CVE-2026-2604
Medium

A flaw was found in evolution-data-server that allows for inconsistent comparison in the addressbook file backend. A Flatpak application with D-Bus access can craft a malicious URI containing directory traversal sequences, leading to the deletion of arbitrary files on the host filesystem.

CVE-2026-28587
Medium

In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-28576
Medium

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-28575
Medium

In PackageInstaller.Session#transfer, there is a logic error that may lead to a memory exhaustion attack. This could result in local denial of service with no additional execution privileges needed.

CVE-2026-27870
Medium

A Cross-Site Scripting (XSS) vulnerability in the Regesta Smart HD-PLC device from Teldat allows an authenticated network attacker to inject arbitrary JavaScript via the 'Hostname' field in the configuration file. The script executes in the context of the /upgrade/query.php?cmd=p+3%3Bversion path.

CVE-2026-27869
Medium

A vulnerability in the Teldat Regesta Smart HD-PLC device allows an unauthenticated network attacker to perform a Slow Loris attack, causing Denial of Service (DoS) on the web interface. The issue affects firmware version TLDPH16D2 11.02.05.10.02.

CVE-2026-27868
Medium

A vulnerability in the Teldat Regesta Smart HD-PLC device allows an attacker with network access (no authentication required) to obtain privilege information by sending a Version request to the path /upgrade/query.php?cmd=p+3&3Bversion. This affects firmware version TLDPH16D2 11.02.05.10.02.

CVE-2026-27410
Medium

In Slimstat Analytics versions below 5.4.0, there is a vulnerability to unauthenticated deserialization of untrusted data.

CVE-2026-24610
Medium

There is a broken access control issue in MetForm Pro versions up to 3.9.1 that may allow unauthorized subscribers to access resources.

PreviousPage 121 of 569Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS