CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-10634
Medium

Zephyr's TCP stack has a use-after-free vulnerability in net_tcp_foreach(). Releasing tcp_lock during callback iteration allows a concurrent thread to free the next list element, leading to dereferencing freed memory. The bug exists in the TCP2 stack from 2020 up to v4.4.0.

CVE-2025-15659
Medium

Versions of Elizaibots <= 1.0.2 are vulnerable to Cross Site Scripting (XSS), allowing attackers to inject malicious code into the application.

CVE-2025-15658
Medium

There is a Cross Site Scripting (XSS) vulnerability in WP Emmet versions <= 0.3.4 that can be exploited by administrators.

CVE-2026-6517
Medium

Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded. This allows any user on a server without the image proxy enabled to intercept other users' credentials via embedding an image that routes to an external web server.

CVE-2026-48969
Medium

Versions of Really Simple SSL up to 9.5.9 have a vulnerability in access control that may allow subscribers unauthorized access to resources.

CVE-2025-64215
Medium

Missing Authorization in StylemixThemes MasterStudy LMS Pro allows accessing functionality not properly constrained by ACLs. This issue affects MasterStudy LMS Pro versions before 4.7.16.

CVE-2016-20083
Medium

The WordPress More Fields Plugin version 2.1 contains a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation.

CVE-2016-20082
Medium

The WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.

CVE-2016-20080
Medium

The Brandfolder plugin for WordPress version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter.

CVE-2016-20079
MediumEPSS 51%

WordPress Dharma Booking version 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.

CVE-2016-20078
Medium

The WordPress IMDb Profile Widget version 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.

CVE-2016-20077
Medium

The WordPress Plugin Photocart Link version 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php.

CVE-2016-20074
Medium

The WordPress Lazy Content Slider Plugin version 3.4 contains a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms.

CVE-2016-20070
Medium

The WordPress Booking Calendar Contact Form plugin version 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts.

CVE-2016-20067
Medium

WordPress CP Polls version 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in.

CVE-2026-34030
Medium

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not properly validate the branch code when creating a new branch. This allows an attacker with the appropriate privileges to include path traversal sequences, potentially leading to unintended file storage.

CVE-2026-34029
Medium

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key.

CVE-2026-34028
Medium

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId_[ID]/Audio/ and /SafeData/.

CVE-2026-34027
Medium

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application accepts uploaded files based on the user-controlled HTTP Content-Type value, allowing authenticated attackers to upload arbitrary file content.

CVE-2026-34025
Medium

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.

PreviousPage 125 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS