CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-11482
High

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php, which allows SQL injection through manipulation of the argument sy.

CVE-2023-54351
High

The Sonaar Music plugin for WordPress version 4.7 contains a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php, which are stored and executed in the browsers of users viewing the affected playlist pages.

CVE-2023-54350
High

The Augmented-Reality plugin for WordPress contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

CVE-2026-11474
High

A security flaw has been discovered in the Kushan2k student-management system up to version f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Manipulating the argument stimg in the file service/RegisterService.php leads to unrestricted file uploads.

CVE-2026-11472
High

A vulnerability was identified in the SourceCodester Class and Exam Timetabling System 1.0 affecting an unknown function in the /index1.php file. Manipulation of the 'Password' argument leads to SQL injection.

CVE-2026-11471
High

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Manipulation of the 'Password' argument in the /index2.php file leads to SQL injection, allowing for remote attack.

CVE-2026-11463
High

A vulnerability was identified in USCiLab Cereal up to version 1.3.2 in an unknown function of the Shared Pointer Handler component. Manipulating this function can lead to type confusion.

CVE-2026-11462
High

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to version 1.6.0.22, affecting the callback function in the file plugins/Stripe/Controllers/StripeController.php of the Stripe Plugin component. Manipulating the Request argument results in improper authorization.

CVE-2026-11460
High

A flaw has been found in Boost Serialization up to version 1.91, affecting an unknown function. This manipulation leads to improper validation of specified type of input, allowing for remote attacks.

CVE-2026-49494
High

Xcitium Client Security before version 13.8.2.10019 and Comodo Internet Security up to version 12.3.4.8162 contain an integer underflow vulnerability in the firewall driver Inspect.sys. This allows remote unauthenticated attackers to crash the system by sending a crafted IPv6 packet.

CVE-2026-11457
High

A security flaw has been discovered in erzhongxmu JeeWMS up to version 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code in the file /base-boot/jmreport/testConnection, allowing for injection through manipulation of arguments.

CVE-2026-11456
High

A vulnerability was identified in Chanjet CRM 1.0 affecting an unknown part of the file /tools/jxf_dump_systable.php of the HTTP GET Request Handler component. Manipulation of the argument gblOrgID leads to SQL injection.

CVE-2026-11452
High

A vulnerability has been found in GL.iNet GL-MT3000 up to version 4.4.5, affecting the SET_USER_PWD Handler function. Manipulation of the Password argument leads to command injection, which can be initiated remotely.

CVE-2026-11451
High

A flaw has been found in GL.iNet GL-MT3000 version 4.4.5, affecting the snprintf function in the /cgi-bin/glc file of the FTP Protocol Handler component. Manipulating the media_dir argument can lead to remote command injection.

CVE-2026-11450
High

A vulnerability was detected in GL.iNet GL-MT3000 version 4.4.5, affecting the dlopen function in the /usr/lib/oui-httpd/rpc library. Manipulating the dev_name argument results in command injection, allowing for remote attacks.

CVE-2026-26422
High

In versions of clash-verge-service-ipc before 2.3.0, there is a world-reachable IPC endpoint, leading to local privilege escalation.

CVE-2026-11437
High

A flaw has been found in perfree go-fastdfs-web up to version 1.3.7 in the checkServer function of the /install/checkServer file of the Installation Endpoint component. Manipulating this function can lead to server-side request forgery.

CVE-2026-11435
High

A security vulnerability has been detected in Jinher OA 1.0, affecting an unknown function of the file nextselectplan.aspx. Manipulation of the argument httpOID leads to SQL injection.

CVE-2026-11413
High

A vulnerability has been detected in JingDong JD Cloud Box AX6600 version 4.5.3.r4546, affecting the set_macfilter function in the /sbin/jdcweb_rpc file. Manipulation of this function leads to a stack-based buffer overflow.

CVE-2026-10725
High

Protocol::HTTP2 versions before 1.13 for Perl are vulnerable to an HTTP/2 Bomb attack, which can lead to excessive server memory consumption. The lack of header-list size limit in the headers_decode method allows for uncontrolled memory expansion.

PreviousPage 183 of 3362Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS