CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-55116
Critical

A vulnerability in UniFi OS allows unauthorized changes to devices by an attacker with network access under certain network configurations. The flaw is due to improper access control.

CVE-2026-55115
Critical

An SSRF vulnerability in UniFi Protect Application allows an attacker with network access and low privileges to escalate privileges on the host device.

CVE-2026-54402
Critical

A vulnerability in UniFi OS allows an attacker with network access and low privileges to execute command injection on the host device due to improper input validation.

CVE-2026-54400
Critical

A vulnerability in UniFi Access Application allows privilege escalation on the host device. An attacker with network access and high privileges can exploit improper access control.

CVE-2026-50748
Critical

A vulnerability in UniFi Access Application allows an attacker with network access and low privileges to execute command injection on the host device due to improper input validation.

CVE-2026-50747
Critical

An authenticated SQL Injection vulnerability in UniFi Talk Application allows a network-accessible attacker with low privileges to escalate privileges on the host device.

CVE-2026-50746
Critical

A vulnerability in the UniFi Connect application allows an attacker with network access to execute command injection on the host device due to improper access control.

CVE-2026-4767
Critical

Missing authentication for a critical function in TR7 Cyber Defense Inc. WAF-ASP allows authentication abuse. The vulnerability affects versions from v1.0.324.900 before v1.4.0.117.

CVE-2026-5524
Critical

The Divi Form Builder plugin for WordPress up to version 5.1.8 is vulnerable to arbitrary file upload leading to remote code execution. The issue is due to insufficient file extension validation in the do_image_upload() function, where the acceptFileTypes POST parameter is directly interpolated into a regular expression. Attackers can upload files with .phtml, .phar, .php5, or .php7 extensions, bypassing .htaccess protection that only blocks .php files.

CVE-2026-57683
Critical

The WP Fast Total Search plugin version 1.80.280 and earlier contains an unauthenticated SQL injection vulnerability. An attacker without authentication can send crafted queries to the database.

CVE-2026-57679
Critical

GeekyBot versions up to 1.2.5 are vulnerable to unauthenticated SQL injection. An attacker can remotely execute arbitrary SQL queries without authentication.

CVE-2026-57677
Critical

The Novalnet Payment Gateway for WooCommerce plugin version 12.10.3 and earlier is vulnerable to unauthenticated PHP Object Injection. An attacker can remotely send a crafted request, leading to arbitrary PHP code execution on the server.

CVE-2026-57625
Critical

The Admin and Site Enhancements (ASE) Pro plugin version 8.8.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.

CVE-2026-57624
Critical

The Blocksy Companion Pro plugin version 2.1.46 and earlier contains a critical vulnerability allowing unauthenticated remote code execution (RCE). The vulnerability stems from missing authentication in one of the API endpoints.

CVE-2026-57623
Critical

The W3 Total Cache plugin versions up to 2.9.4 contain a critical vulnerability allowing unauthenticated remote arbitrary code execution. The flaw stems from insufficient input validation in the caching mechanism.

CVE-2026-57621
Critical

The Booktics plugin version 1.0.21 and earlier contains an unauthenticated PHP Object Injection vulnerability. An attacker can remotely inject a malicious PHP object without authentication.

CVE-2026-27436
Critical

The Five Star Business Profile and Schema WordPress plugin version 2.3.19 and earlier contains an editor arbitrary code execution vulnerability. An attacker can exploit this flaw to gain full control over the website.

CVE-2026-27419
Critical

The Zegen plugin in versions 1.1.9 and earlier allows a subscriber to upload arbitrary files to the server. This vulnerability can be exploited to upload malicious software without proper authorization.

CVE-2026-14439
Critical

A path traversal vulnerability in the Git Service component of Altium Enterprise Server and Altium 365 allows an authenticated user with basic git access to move arbitrary files outside the intended repository area. This can lead to remote code execution under the Git Service account by placing attacker-controlled scripts into directories executed by the service.

CVE-2026-14425
Critical

A use-after-free vulnerability in the ANGLE component of Google Chrome prior to 150.0.7871.46 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

PreviousPage 2 of 533Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS