CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
There is an unauthenticated bypass vulnerability in WpTravelly versions up to 2.1.7.
Versions up to 5.1.2 have a vulnerability in access control that allows user registration without authentication.
SQL Injection vulnerability in PowerPress Podcasting versions <= 11.15.10 allows attackers to inject malicious SQL queries.
Versions of Redirection for Contact Form 7 up to 3.2.8 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
Eli's WordCents adSense Widget with versions up to 1.3.03.27 has an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.
There is an unauthenticated Cross Site Scripting (XSS) vulnerability in Okay Toolkit versions <= 2.3. An attacker can exploit this flaw to inject malicious scripts.
Versions of iRobots.txt SEO <= 1.1.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.
In Projectopia versions <= 5.1.25.2, there is a vulnerability related to custom roles that allows unauthorized access to objects (IDOR). This issue may lead to the exposure of sensitive user data.
A flaw in GStreamer's WavPack audio decoder (gst-plugins-good) involves an integer overflow in buffer size calculation (4 * block_samples * channels), leading to a very small heap allocation. The WavPack library then writes decoded audio samples beyond the allocated buffer, causing heap memory corruption. This affects both 32-bit and 64-bit systems.
A flaw in GStreamer's RealMedia demuxer (gst-plugins-ugly) lacks offset validation when parsing FILEINFO metadata. A crafted RealMedia file can cause an infinite loop or out-of-bounds read.
A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly) where an out-of-bounds read occurs when processing .rm files. Lack of size validation for MDPR chunks before reading audio stream headers can cause application crashes or limited information disclosure.
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads.
A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). Incorrect rectangle bounds validation allows a malicious VNC server to send a rectangle extending beyond the framebuffer, leading to an out-of-bounds heap write.
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data.
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
In LLDAP v0.6.2, there is an input handling flaw in the HTTP refresh token process that allows attackers to cause a Denial of Service (DoS) by sending a crafted refresh-token header.
In version 1.8.0 of the custom scraper component in Benjamin Jonard Koillection, there is an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows attackers to scan internal resources by supplying a crafted URL.
Sismics Docs (Teedy) v1.11 has incorrect access control in share-based read endpoints, allowing unauthorized attackers to access sensitive endpoints via a crafted request.
In statping-ng version 0.93.0, incorrect access control allows attackers to escalate privileges to Administrator and access sensitive components.
Version 0.1.1 of the anna-is-cute application has an issue in the /api/v0/pastes endpoint that allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

