CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter.
Evoluted PHP Directory Listing Script version 4.0.5 contains a reflected XSS vulnerability in index.php where the dir parameter value is reflected without HTML encoding in the title element and in anchor href attributes in the breadcrumb navigation.
Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope.
Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope.
Ellucian Banner Self-Service before the April T2 release in 2025 contains a stored XSS vulnerability in the course search functionality. Authenticated users with write access can inject malicious JavaScript into faculty and course fields.
Ellucian Banner Self-Service before the April T2 release in 2025 contains a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. Attackers can inject unsanitized input through the toDateFormat request parameter in the dateConverter endpoint.
The Dell Client Platform BIOS contains a weak encoding for passwords, which could be exploited by an unauthenticated attacker with physical access. Exploiting this vulnerability may lead to elevation of privileges.
SemCms version 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php.
Multiple stack overflows were discovered in the formSetDebugCfgr function in Tenda G0 version 15.11.0.5, via the enable, level, and module parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
A stack overflow was discovered in the username parameter of the R7WebsSecurityHandler function in the Tenda O3 Wireless Router v1.0.0.5(4180). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
A stack overflow was discovered in the param_1 parameter of the formSetCfm function in the Tenda W3 Wireless Router v1.0.0.3(2204). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
A stack overflow was discovered in the Go parameter of the ask_to_reboot function in the Tenda W3 Wireless Router v1.0.0.3(2204). This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted input.
The Tenda W3 wireless router version 1.0.0.3(2204) contains a stack overflow vulnerability in the wl_radio parameter of the formwrlSSIDget function. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted input.
FastapiAdmin v2.2.0 has a markdown based cross-site scripting (XSS) vulnerability in the AI assistant chat function that allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into a chat message.
Version 8.3 of the bookcars application contains a vulnerability that allows unauthenticated attackers to delete arbitrary files by exploiting directory traversal sequences in the /api/delete-temp-license/{file} endpoint.
FastapiAdmin v2.2.0 has a cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint that allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the notice_content parameter.
In version 2.2.0 of FastapiAdmin, an uncaught exception in the /application/job/update/{id} endpoint allows authenticated attackers with the module_task:job:update permission to trigger a Denial of Service (DoS) attack by manipulating the func field of scheduled tasks.
An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file.
A NULL pointer dereference in the ctts_box_write function in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file.
GPAC MP4Box version 2.4 was found to contain a floating point exception in the gf_opus_parse_packet_header function, which may lead to application crashes. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

