CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The WP Google Review Slider plugin versions up to 18.0 contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.
There is a broken access control issue in Rank Math SEO versions up to 1.0.271 that may allow unauthorized users to access subscription features.
Unauthenticated Broken Access Control exists in Essential Addons for Elementor versions below 6.6.0.
There is a broken access control issue in Bookify versions up to 1.1.1 that may allow subscribers unauthorized access to resources.
Versions of bunny.net up to 2.3.6 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.
PopAd versions up to 1.0.4 contain a Server Side Request Forgery (SSRF) vulnerability that can be exploited by an attacker to send unauthorized requests from the server.
Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing.
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
In Nginx Proxy Manager v2.14.0, incorrect access control in the 'Let's Encrypt' certificate download endpoint allows authenticated attackers to obtain TLS private key material via a crafted GET request.
A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Discuz! X5.0 versions from 20260320 to 20260610 contain a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images.
Version v0.54.0 of Datadog, Inc Vector has an issue in the /util/http/prelude.rs endpoint that allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.
Ruoyi version 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
An issue in Boyleep K11 with y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.
PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.
Kiro IDE on macOS and Linux before version 0.11.133 has incorrect default permissions that could expose the authentication token cache file to other local users or processes. The file permissions are set to 0644 instead of 0600.
A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd version 10.3.0 while parsing configuration options. This error occurs in the parse_option() function when an unexpected or invalid option token causes the lookup to yield NULL.
A segmentation violation in the Track_SetStreamDescriptor function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.
A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
A stack overflow in the gf_opus_read_length function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.

