CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A vulnerability in SIMATIC WinCC Unified PC Runtime (versions V16-V21 before V21 Update 2) is caused by insufficient protection of key material in the WinCC Certificate Manager. It allows an attacker to extract sensitive information.
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function.
The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to privilege escalation in versions up to 2.3.28. The issue arises from improper input handling in the ajax_ayi_action() function, allowing attackers to modify user roles.
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When segmentation is enabled and the RX pool user_data_size is less than 2 bytes, the segmentation counter is written out of bounds, causing an AddressSanitizer abort or heap corruption.
Versions of the package degit before 2.8.6 and from 3.0.0 to 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function.
The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0. The issue arises from the lack of ownership verification and session binding in the AJAX handling functions, allowing access to other users' profile data.
In an untrusted JMS environment, MappingJackson2MessageConverter and JacksonJsonMessageConverter in Spring Framework allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization.
A vulnerability in Spring Framework allows a DoS attack via specially crafted SpEL expressions. An attacker can overload the application, causing degradation or unavailability.
CVE-2026-41849 describes an integer overflow vulnerability in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).
Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.
Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password.
The vulnerability in Spring HATEOAS involves an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings, potentially leading to memory exhaustion or DoS.
The vulnerability in Spring HATEOAS lies in the internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, which performs bean property binding via reflection without consulting Jackson access-control annotations. An attacker can exploit this flaw to gain unauthorized access to object fields that should be protected.
In Micrometer, a user can send specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. The vulnerability affects multiple versions of micrometer-core, micrometer-jetty11, and micrometer-jetty12.
In Micrometer, a user can send specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions are 1.16.0 through 1.16.5 and 1.15.0 through 1.15.11.
A missing authorization vulnerability has been reported to affect QuMagie, allowing remote attackers to access unauthorized data or perform unauthorized actions.
The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via comment text in all versions up to and including 7.5.49.7212 due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts that will execute whenever a user accesses an injected page.
A vulnerability CVE-2026-11618 was identified in DTStack Taier up to version 1.4.0, concerning the preHandle function in the LoginInterceptor.java file. Manipulating this function may lead to improper authentication, which can be performed remotely.

