CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-13514
Low

A weakness has been identified in Chess Play and Learn App up to version 4.9.42 on Android, involving processing of AndroidManifest.xml in the com.chess component. This manipulation leads to exposure of backup file to an unauthorized control sphere. The attack requires physical access to the device.

CVE-2026-13513
Medium

A security flaw was discovered in MyScale MyScaleDB up to version 1.8.0 in the SegmentId::getCacheKey function within src/VectorIndex/Common/SegmentId.h. It involves insufficient verification of data authenticity, allowing remote attacks with high complexity. The exploit has been published, and a fix is pending acceptance.

CVE-2026-13512
Medium

A vulnerability was found in Databend up to version 1.2.881 on HTTP. The ClientSessionManager::state_key function in client_session_manager.rs allows authorization bypass. The attack can be performed remotely and the exploit is publicly available.

CVE-2026-13511
Low

A vulnerability was found in VoltAgent up to version 2.1.17 in the Memory REST API component. The function handleGetMemoryConversation in memory.handlers.ts improperly authorizes access after manipulation of the conversationId argument. The attack can be performed remotely but is difficult to exploit due to high complexity.

CVE-2026-13510
Low

A vulnerability was found in SimStudioAI sim up to version 0.6.92 in the password protection handler component (apps/sim/lib/core/security/deployment.ts). Manipulation leads to use of a weak hash, enabling a remote attack with high complexity. The exploit has been made public and a fix is pending.

CVE-2026-13509
Medium

A vulnerability was found in RAGapp up to version 0.1.5 in the FileHandler.upload_file/FileHandler.remove_file function in src/ragapp/backend/controllers/files.py. This flaw allows remote path traversal attacks.

CVE-2026-13508
Medium

A vulnerability was found in khoj-ai khoj up to version 2.0.0-beta.28 in the Conversation Sharing Handler function in src/khoj/routers/api_chat.py. Manipulation of the conversation.agent argument causes incorrect authorization, allowing remote exploitation without authentication.

CVE-2026-13507
Medium

A vulnerability was found in the Local VectorDB Primary-key Label Handler component of OpenViking up to version 0.3.21, where insufficient verification of data authenticity occurs when processing the ID argument in the str_to_uint64 function. The attack can be launched remotely but is highly complex and difficult to exploit.

CVE-2026-49048
Critical

The JoomCCK extension for Joomla exposes a front-end controller task that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterization.

CVE-2026-13504
Low

A cross-site scripting vulnerability was found in Project Management System 1.0 in the /mail.php file (Mail Compose Page). The attack can be performed remotely and exploit details are publicly available.

CVE-2026-13503
Medium

A path traversal vulnerability was found in ANTLR4 up to version 4.13.2 in the getImportedVocabFile function of TokenVocabParser.java. The attack can be executed remotely and the exploit is publicly available.

CVE-2026-13502
Medium

A time-of-check time-of-use (TOCTOU) vulnerability has been found in ANTLR4 up to version 4.13.2 in the ObjectInputStream.readObject function of the GrammarDependencies.java file in the Maven Plugin component. The attack requires local access and is difficult to exploit, but an exploit has been published.

CVE-2026-13501
Medium

A vulnerability was found in ANTLR4 up to 4.13.2, affecting the GoTarget function in GoTarget.java. A local attacker can inject commands via the gofmt component, leading to unauthorized operations.

CVE-2026-13500
High

A vulnerability has been found in ANTLR4 up to version 4.13.2 in the grammar action block handler function within OutputFile.java. Input manipulation can lead to remote code injection. A public exploit is available for attacks.

CVE-2026-13499
Medium

A stored XSS vulnerability was found in the yashpokharna2555 restaurant management system in login_register.php. Manipulating the Username parameter in the Registration Handler allows remote script execution. The exploit is public and the vendor has not responded.

CVE-2026-13498
High

SQL Injection vulnerability in yashpokharna2555 restaurant-management-system. An attacker can remotely manipulate the 'email' argument in /forgotpassword.php, leading to SQL injection. Exploit is publicly available.

CVE-2026-13497
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointment.php. An unknown function mishandles the editid argument, allowing remote SQL injection. The exploit has been publicly disclosed and may be used.

CVE-2026-13496
Medium

A SQL injection vulnerability was found in Hospital Management System 1.0 in the file /ajaxmedicine.php. An attacker can remotely manipulate the medicineid argument, leading to SQL injection. The exploit has been made public, increasing the attack risk.

CVE-2026-13495
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /adminprofile.php. An attacker can remotely manipulate the loginid argument, leading to SQL injection.

CVE-2026-13493
Low

A flaw has been found in ComfyUI-Copilot up to version 2.0.28 in the Workflow Checkpoint Restore Handler. The issue involves improper control of resource identifiers due to unknown processing in backend/controller/conversation_api.py. The attack can be performed remotely but is difficult due to high complexity.

PreviousPage 129 of 4541Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS