CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-39451
Medium

The WP Google Review Slider plugin versions up to 18.0 contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.

CVE-2026-34892
Medium

There is a broken access control issue in Rank Math SEO versions up to 1.0.271 that may allow unauthorized users to access subscription features.

CVE-2026-25440
Medium

Unauthenticated Broken Access Control exists in Essential Addons for Elementor versions below 6.6.0.

CVE-2025-69332
Medium

There is a broken access control issue in Bookify versions up to 1.1.1 that may allow subscribers unauthorized access to resources.

CVE-2025-68049
Medium

Versions of bunny.net up to 2.3.6 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.

CVE-2025-60175
Medium

PopAd versions up to 1.0.4 contain a Server Side Request Forgery (SSRF) vulnerability that can be exploited by an attacker to send unauthorized requests from the server.

CVE-2026-52721
Medium

Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing.

CVE-2026-52718
Medium

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.

CVE-2026-50892
Medium

In Nginx Proxy Manager v2.14.0, incorrect access control in the 'Let's Encrypt' certificate download endpoint allows authenticated attackers to obtain TLS private key material via a crafted GET request.

CVE-2026-50876
Medium

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2026-49953
Medium

Discuz! X5.0 versions from 20260320 to 20260610 contain a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images.

CVE-2026-39197
Medium

Version v0.54.0 of Datadog, Inc Vector has an issue in the /util/http/prelude.rs endpoint that allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.

CVE-2026-37216
Medium

Ruoyi version 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.

CVE-2026-36933
Medium

An issue in Boyleep K11 with y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

CVE-2026-36521
Medium

PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.

CVE-2026-11931
Medium

Kiro IDE on macOS and Linux before version 0.11.133 has incorrect default permissions that could expose the authentication token cache file to other local users or processes. The file permissions are set to 0644 instead of 0600.

CVE-2025-70102
Medium

A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd version 10.3.0 while parsing configuration options. This error occurs in the parse_option() function when an unexpected or invalid option token causes the lookup to yield NULL.

CVE-2025-55663
Medium

A segmentation violation in the Track_SetStreamDescriptor function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.

CVE-2025-55661
Medium

A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

CVE-2025-55660
Medium

A stack overflow in the gf_opus_read_length function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.

PreviousPage 123 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS