CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-27089
High

There is an unauthenticated bypass vulnerability in WpTravelly versions up to 2.1.7.

CVE-2026-25425
High

Versions up to 5.1.2 have a vulnerability in access control that allows user registration without authentication.

CVE-2026-24637
High

SQL Injection vulnerability in PowerPress Podcasting versions <= 11.15.10 allows attackers to inject malicious SQL queries.

CVE-2026-23970
High

Versions of Redirection for Contact Form 7 up to 3.2.8 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2025-68872
High

Eli's WordCents adSense Widget with versions up to 1.3.03.27 has an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can exploit this flaw to inject malicious JavaScript code.

CVE-2025-68851
High

There is an unauthenticated Cross Site Scripting (XSS) vulnerability in Okay Toolkit versions <= 2.3. An attacker can exploit this flaw to inject malicious scripts.

CVE-2025-68840
High

Versions of iRobots.txt SEO <= 1.1.2 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.

CVE-2025-59133
High

In Projectopia versions <= 5.1.25.2, there is a vulnerability related to custom roles that allows unauthorized access to objects (IDOR). This issue may lead to the exposure of sensitive user data.

CVE-2026-53705
High

A flaw in GStreamer's WavPack audio decoder (gst-plugins-good) involves an integer overflow in buffer size calculation (4 * block_samples * channels), leading to a very small heap allocation. The WavPack library then writes decoded audio samples beyond the allocated buffer, causing heap memory corruption. This affects both 32-bit and 64-bit systems.

CVE-2026-53704
High

A flaw in GStreamer's RealMedia demuxer (gst-plugins-ugly) lacks offset validation when parsing FILEINFO metadata. A crafted RealMedia file can cause an infinite loop or out-of-bounds read.

CVE-2026-53703
High

A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly) where an out-of-bounds read occurs when processing .rm files. Lack of size validation for MDPR chunks before reading audio stream headers can cause application crashes or limited information disclosure.

CVE-2026-52722
High

A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads.

CVE-2026-52720
High

A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). Incorrect rectangle bounds validation allows a malicious VNC server to send a rectangle extending beyond the framebuffer, leading to an out-of-bounds heap write.

CVE-2026-52719
High

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data.

CVE-2026-50891
High

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

CVE-2026-50889
High

In LLDAP v0.6.2, there is an input handling flaw in the HTTP refresh token process that allows attackers to cause a Denial of Service (DoS) by sending a crafted refresh-token header.

CVE-2026-50888
High

In version 1.8.0 of the custom scraper component in Benjamin Jonard Koillection, there is an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows attackers to scan internal resources by supplying a crafted URL.

CVE-2026-50885
High

Sismics Docs (Teedy) v1.11 has incorrect access control in share-based read endpoints, allowing unauthorized attackers to access sensitive endpoints via a crafted request.

CVE-2026-50884
High

In statping-ng version 0.93.0, incorrect access control allows attackers to escalate privileges to Administrator and access sensitive components.

CVE-2026-50882
High

Version 0.1.1 of the anna-is-cute application has an issue in the /api/v0/pastes endpoint that allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

PreviousPage 141 of 3364Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS