CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to and including 5.5.1. The plugin chains three independent flaws that allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without invoking an Administrator-only API.
Due to the improper neutralization of special elements used in a name parameter, a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise.
An unauthenticated Cross Site Scripting (XSS) vulnerability has been identified in Media Library Assistant versions up to 3.35. An attacker can exploit this flaw to inject malicious JavaScript code.
Versions of Pods <= 3.3.8 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
There is a SQL Injection vulnerability in Attendance Manager versions <= 0.6.2 that can be exploited by subscribers.
WooCommerce POS versions up to 1.8.14 have an issue with unauthenticated access that allows for broken access control.
The WP Sessions Time Monitoring Full Automatic plugin versions up to 1.1.4 is vulnerable to SQL Injection, allowing unauthorized users to access the database.
JupiterX Core versions up to 4.14.1 have a vulnerability in access control that allows unauthorized access to resources.
Versions of Min Max Step Quantity Limits Manager for WooCommerce up to 5.2.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
Versions of WP Event Solution up to 4.1.12 have an unauthenticated broken access control vulnerability that may allow attackers to access resources they should not have access to.
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to and including 12.6.8. The issue arises from the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, allowing for the injection of additional SQL queries.
A vulnerability was found in the Linux kernel's pedit (packet editor) mechanism in the networking subsystem. The bug causes a partial copy-on-write (COW), potentially leading to page cache corruption.
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to and including 12.6.8. The issue arises from improper handling of input data, allowing authenticated attackers to inject additional SQL queries.
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution due to missing authorization in versions up to and including 2.0. The 'generatePluginHandler' function lacks authorization checks before processing user-supplied POST data, allowing attackers to inject PHP code.
A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.
Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials.
CVE-2026-53430 vulnerability concerns improper handling of highly compressed data in elixir-grpc, potentially leading to a denial of service attack via a gzip decompression bomb.
A vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming large or slow-trickle unary request bodies. The lack of size limits for accumulated data and infinite read timeouts enable uncontrolled memory growth.
Browserstack-cypress-cli versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. The loadJsFile() function in readCypressConfigUtil.js executes a shell command by interpolating the user-controlled cypress_config_filepath value.

