CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-8176
High

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to and including 5.5.1. The plugin chains three independent flaws that allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without invoking an Administrator-only API.

CVE-2026-5416
HighEPSS 67%

Due to the improper neutralization of special elements used in a name parameter, a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise.

CVE-2026-54198
High

An unauthenticated Cross Site Scripting (XSS) vulnerability has been identified in Media Library Assistant versions up to 3.35. An attacker can exploit this flaw to inject malicious JavaScript code.

CVE-2026-54191
High

Versions of Pods <= 3.3.8 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-52712
High

There is a SQL Injection vulnerability in Attendance Manager versions <= 0.6.2 that can be exploited by subscribers.

CVE-2026-52711
High

WooCommerce POS versions up to 1.8.14 have an issue with unauthenticated access that allows for broken access control.

CVE-2026-39581
High

The WP Sessions Time Monitoring Full Automatic plugin versions up to 1.1.4 is vulnerable to SQL Injection, allowing unauthorized users to access the database.

CVE-2026-39490
High

JupiterX Core versions up to 4.14.1 have a vulnerability in access control that allows unauthorized access to resources.

CVE-2026-39437
High

Versions of Min Max Step Quantity Limits Manager for WooCommerce up to 5.2.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.

CVE-2026-10825
High

A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.

CVE-2025-68045
High

Versions of WP Event Solution up to 4.1.12 have an unauthenticated broken access control vulnerability that may allow attackers to access resources they should not have access to.

CVE-2026-8444
High

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to and including 12.6.8. The issue arises from the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, allowing for the injection of additional SQL queries.

CVE-2026-46331
High

A vulnerability was found in the Linux kernel's pedit (packet editor) mechanism in the networking subsystem. The bug causes a partial copy-on-write (COW), potentially leading to page cache corruption.

CVE-2026-8443
High

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to and including 12.6.8. The issue arises from improper handling of input data, allowing authenticated attackers to inject additional SQL queries.

CVE-2026-6933
High

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution due to missing authorization in versions up to and including 2.0. The 'generatePluginHandler' function lacks authorization checks before processing user-supplied POST data, allowing attackers to inject PHP code.

CVE-2026-7273
High

A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.

CVE-2026-12161
High

Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials.

CVE-2026-53430
High

CVE-2026-53430 vulnerability concerns improper handling of highly compressed data in elixir-grpc, potentially leading to a denial of service attack via a gzip decompression bomb.

CVE-2026-48854
High

A vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming large or slow-trickle unary request bodies. The lack of size limits for accumulated data and infinite read timeouts enable uncontrolled memory growth.

CVE-2026-48723
High

Browserstack-cypress-cli versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. The loadJsFile() function in readCypressConfigUtil.js executes a shell command by interpolating the user-controlled cypress_config_filepath value.

PreviousPage 124 of 3354Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS