CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php, which allows SQL injection through manipulation of the argument sy.
The Sonaar Music plugin for WordPress version 4.7 contains a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php, which are stored and executed in the browsers of users viewing the affected playlist pages.
The Augmented-Reality plugin for WordPress contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
A security flaw has been discovered in the Kushan2k student-management system up to version f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Manipulating the argument stimg in the file service/RegisterService.php leads to unrestricted file uploads.
A vulnerability was identified in the SourceCodester Class and Exam Timetabling System 1.0 affecting an unknown function in the /index1.php file. Manipulation of the 'Password' argument leads to SQL injection.
A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Manipulation of the 'Password' argument in the /index2.php file leads to SQL injection, allowing for remote attack.
A vulnerability was identified in USCiLab Cereal up to version 1.3.2 in an unknown function of the Shared Pointer Handler component. Manipulating this function can lead to type confusion.
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to version 1.6.0.22, affecting the callback function in the file plugins/Stripe/Controllers/StripeController.php of the Stripe Plugin component. Manipulating the Request argument results in improper authorization.
A flaw has been found in Boost Serialization up to version 1.91, affecting an unknown function. This manipulation leads to improper validation of specified type of input, allowing for remote attacks.
Xcitium Client Security before version 13.8.2.10019 and Comodo Internet Security up to version 12.3.4.8162 contain an integer underflow vulnerability in the firewall driver Inspect.sys. This allows remote unauthenticated attackers to crash the system by sending a crafted IPv6 packet.
A security flaw has been discovered in erzhongxmu JeeWMS up to version 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code in the file /base-boot/jmreport/testConnection, allowing for injection through manipulation of arguments.
A vulnerability was identified in Chanjet CRM 1.0 affecting an unknown part of the file /tools/jxf_dump_systable.php of the HTTP GET Request Handler component. Manipulation of the argument gblOrgID leads to SQL injection.
A vulnerability has been found in GL.iNet GL-MT3000 up to version 4.4.5, affecting the SET_USER_PWD Handler function. Manipulation of the Password argument leads to command injection, which can be initiated remotely.
A flaw has been found in GL.iNet GL-MT3000 version 4.4.5, affecting the snprintf function in the /cgi-bin/glc file of the FTP Protocol Handler component. Manipulating the media_dir argument can lead to remote command injection.
A vulnerability was detected in GL.iNet GL-MT3000 version 4.4.5, affecting the dlopen function in the /usr/lib/oui-httpd/rpc library. Manipulating the dev_name argument results in command injection, allowing for remote attacks.
In versions of clash-verge-service-ipc before 2.3.0, there is a world-reachable IPC endpoint, leading to local privilege escalation.
A flaw has been found in perfree go-fastdfs-web up to version 1.3.7 in the checkServer function of the /install/checkServer file of the Installation Endpoint component. Manipulating this function can lead to server-side request forgery.
A security vulnerability has been detected in Jinher OA 1.0, affecting an unknown function of the file nextselectplan.aspx. Manipulation of the argument httpOID leads to SQL injection.
A vulnerability has been detected in JingDong JD Cloud Box AX6600 version 4.5.3.r4546, affecting the set_macfilter function in the /sbin/jdcweb_rpc file. Manipulation of this function leads to a stack-based buffer overflow.
Protocol::HTTP2 versions before 1.13 for Perl are vulnerable to an HTTP/2 Bomb attack, which can lead to excessive server memory consumption. The lack of header-list size limit in the headers_decode method allows for uncontrolled memory expansion.

