CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.13)

CVE-2026-13006
High

ACE vulnerability in logback-core up to version 1.5.36 allows arbitrary code execution by bypassing protections for CVE-2025-11226. The attack requires Janino library on the classpath and write access to a configuration file or injection of an environment variable.

CVE-2026-12417
Critical

The SignUp & SignIn plugin for WordPress up to version 1.0.0 contains a vulnerability allowing authentication bypass and account takeover. The issue is due to missing nonce verification, missing capability checks, and a loose equality check on the password reset code in the `pravel_change_password()` AJAX handler, enabling unauthenticated attackers to change any user's password, including administrators.

CVE-2026-12416
Critical

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to and including 1.0.0. The issue arises from the lack of nonce verification and authorization checks in the `pravel_invoice_change_password()` function, allowing for easy bypass of security measures.

CVE-2026-12100
High

The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 1.0 via the 'url' parameter. This allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application.

CVE-2026-12095
High

The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 1.2 via the 'api_url' parameter. This allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application.

CVE-2026-12094
Medium

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to and including 1.0.0. The function does not perform nonce verification, capability checks, or ownership checks before deleting data from the wp_cf7cdb_data table.

CVE-2026-11997
Medium

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page, allowing unauthenticated attackers to bulk-overwrite image ALT-text metadata.

CVE-2026-11370
Medium

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 4.5.18 via the 'new_link' parameter. This allows authenticated attackers with contributor-level access or higher to make arbitrary HTTP requests from the application, potentially querying and modifying information from internal services.

CVE-2026-10753
Low

The Site Kit by Google WordPress plugin before version 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users (such as Editors) to modify a site-wide setting that should only be modifiable by administrators.

CVE-2026-10749
High

The Post Duplicator WordPress plugin before version 3.0.15 does not safely handle custom meta-data during post duplication, allowing attacker-supplied serialized values to be stored without the WordPress meta API's double-serialization protection.

CVE-2026-10735
High

WordPress plugins such as Shapedsmart-post-show-pro, Real Testimonials Pro, and Product Slider for WooCommerce before specified versions contained malicious code. They were distributed through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage attack.

CVE-2026-10552
Medium

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. The issue arises from missing or incorrect nonce validation on the main admin panel and on subpages, allowing unauthenticated attackers to perform destructive operations.

CVE-2026-10531
Medium

The AI Share & Summarize WordPress plugin before version 2.0.4 does not sanitize and escape some shortcode attributes before outputting them on a page, allowing users with Contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2026-10092
High

The Cincopa plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via cincopa shortcode in post comments in all versions up to and including 1.163 due to insufficient input sanitization and output escaping.

CVE-2026-10091
High

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'email' shortcode in all versions up to and including 1.03 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-9539
Medium

An out-of-bounds heap read and integer underflow in TCP urgent data handling in libslirp versions before v4.9.2 allows a privileged guest VM attacker to leak sensitive host-process heap memory.

CVE-2026-12851
CriticalEPSS 74%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12850
CriticalEPSS 75%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12849
CriticalEPSS 74%

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution.

CVE-2026-12848
Critical

The GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on port 10001, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.

PreviousPage 212 of 4554Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS