CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2025-63079
Medium

The Live Copy Paste for Elementor plugin in versions 1.5.3 and below contains a vulnerability due to improper access control for contributors. This allows users with the contributor role to perform unauthorized actions.

CVE-2025-63078
Medium

The Restaurant Menu by MotoPress plugin in versions 2.4.11 and earlier contains a vulnerability related to broken access control by subscribers. Users with the subscriber role can gain unauthorized access to restaurant menu management functions.

CVE-2025-63041
Medium

The Forget About Shortcode Buttons plugin in versions 2.1.3 and below contains a vulnerability due to improper access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be reserved for higher roles.

CVE-2026-57940
Low

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

CVE-2026-57926
Low

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack.

CVE-2026-57925
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags.

CVE-2026-57924
Medium

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details.

CVE-2026-57923
Medium

In JetBrains YouTrack before 2026.2.16593, improper authorization in the app configurations endpoint allowed unauthorized modification of project settings.

CVE-2026-57922
Low

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible.

CVE-2026-57921
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint.

CVE-2026-53914
Medium

In JetBrains Kotlin before version 2.4.20, a vulnerability was found that allows code execution via unsafe deserialization in the build cache metadata.

CVE-2026-13426
Medium

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components.

CVE-2026-57920
High

A vulnerability in Peplink InControl 2 up to version 2.14.2 before 2026-06-03 allows bypassing access-control rules for certain /rest/o/{orgId} endpoints by using a semicolon.

CVE-2026-57915
High

A vulnerability in Apache Kerby allows bypassing the Kerberos pre-authentication check by sending a PA-DATA with an unrecognized or unsupported type. An attacker can gain access without proper authentication.

CVE-2026-40711
High

An OS Command Injection vulnerability in Dell Container Storage Modules (csi-powerstore, csi-unity, csi-powerflex, csi-powermax version 2.16.0) allows a high-privileged attacker with remote access to execute arbitrary operating system commands.

CVE-2025-64152
Critical

A path traversal vulnerability has been discovered in Apache IoTDB, allowing access to files outside the restricted directory. The issue affects versions from 1.0.0 to 1.3.5 and from 2.0.0 to 2.0.6.

CVE-2025-55017
Critical

A Path Traversal vulnerability has been discovered in Apache IoTDB, allowing bypass of file path restrictions. The issue affects versions from 2.0.0 before 2.0.6 and from 1.0.0 before 1.3.6.

CVE-2026-57914
Medium

Sending a deeply nested ASN1 structure to an Apache Kerby client or service can trigger a StackOverFlow exception, leading to denial of service (DoS).

CVE-2026-57620
Medium

The Exclusive Addons Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper input neutralization during page generation. The flaw affects all versions up to and including 2.7.9.8.

CVE-2026-57918
High

A vulnerability in libnfs up to version 6.0.2 before commit 935b8db causes an integer underflow in the xid field in the READ_IOVEC function in lib/socket.c. The issue occurs when connecting to a crafted NFS server, where the expected PDU size exceeds the absolute PDU size from the xid/record-marker.

PreviousPage 169 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS