CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
WooCommerce POS versions up to 1.8.14 have an issue with unauthenticated access that allows for broken access control.
The WP Sessions Time Monitoring Full Automatic plugin versions up to 1.1.4 is vulnerable to SQL Injection, allowing unauthorized users to access the database.
JupiterX Core versions up to 4.14.1 have a vulnerability in access control that allows unauthorized access to resources.
Versions of Min Max Step Quantity Limits Manager for WooCommerce up to 5.2.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
Versions of WP Event Solution up to 4.1.12 have an unauthenticated broken access control vulnerability that may allow attackers to access resources they should not have access to.
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to and including 12.6.8. The issue arises from the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, allowing for the injection of additional SQL queries.
In the Linux kernel, a vulnerability was found in the pedit (packet editor) mechanism of the network subsystem. The COW (copy-on-write) range calculation before the key loop did not account for the runtime header offset added by typed keys, potentially leading to incomplete COW and page cache corruption.
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to and including 12.6.8. The issue arises from improper handling of input data, allowing authenticated attackers to inject additional SQL queries.
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution due to missing authorization in versions up to and including 2.0. The 'generatePluginHandler' function lacks authorization checks before processing user-supplied POST data, allowing attackers to inject PHP code.
A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.
Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials.
CVE-2026-53430 vulnerability concerns improper handling of highly compressed data in elixir-grpc, potentially leading to a denial of service attack via a gzip decompression bomb.
A vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming large or slow-trickle unary request bodies. The lack of size limits for accumulated data and infinite read timeouts enable uncontrolled memory growth.
Browserstack-cypress-cli versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. The loadJsFile() function in readCypressConfigUtil.js executes a shell command by interpolating the user-controlled cypress_config_filepath value.
A vulnerability in elixir-grpc allows authenticated attackers to access resources belonging to other users by manipulating values in requests. This enables them to bypass authorization mechanisms, leading to unauthorized access or modification of data.
Potential security vulnerabilities have been identified in the HP One Agent for certain HP PC products, which might allow for escalation of privilege and/or denial of service.
DbGate is a cross-platform database manager, in versions 7.1.8 and prior, has a vulnerability in the POST /runners/load-reader endpoint that accepts a functionName parameter interpolated without sanitization into a JavaScript code template. An authenticated user with basic access can inject arbitrary JavaScript code that executes on the server with full process privileges.
An unauthenticated Cross Site Scripting (XSS) vulnerability has been identified in SEO Redirection versions up to 9.17. An attacker can exploit this flaw to inject malicious scripts in the user's context.
There is a SQL Injection vulnerability in WCMultiShipping versions up to 3.0.2 that can be exploited by subscribers.

