CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-54186
Critical

In JobSearch versions up to 3.2.9, there is an unauthenticated SQL Injection vulnerability that can be exploited by an attacker to execute unauthorized queries against the database.

CVE-2026-52706
Critical

There is an unauthenticated PHP object injection vulnerability in JetEngine versions up to 3.8.10.

CVE-2026-52705
Critical

SigmaForms Pro – AI Generated Forms versions up to 1.4.5 contain a vulnerability allowing unauthenticated arbitrary file uploads.

CVE-2026-50203
Critical

A path traversal vulnerability in the SFTP provider allows a malicious or compromised remote SFTP server to write files outside the configured local destination directory. No Airflow account is required, and the attack surface includes any deployment downloading directories from an untrusted SFTP server.

CVE-2026-49767
Critical

There is a vulnerability in wpForo Forum versions up to 3.1.0 related to unauthenticated broken authentication.

CVE-2026-49107
Critical

Thrive Apprentice versions below 10.8.10.2 are vulnerable to unauthenticated PHP object injection.

CVE-2026-49084
Critical

JetEngine versions below 3.8.9.1 are vulnerable to unauthenticated SQL injection.

CVE-2026-49080
Critical

There is an unauthenticated SQL injection vulnerability in wpDataTables versions up to 7.3.6.

CVE-2026-49079
Critical

JetSearch versions up to 3.5.17 are vulnerable to unauthenticated SQL injection, potentially allowing unauthorized access to data.

CVE-2026-49076
Critical

There is an unauthenticated SQL injection vulnerability in JetEngine versions up to 3.8.9.1.

CVE-2026-49075
Critical

JetEngine versions up to 3.8.9.1 are vulnerable to PHP Object Injection, which may lead to unauthorized access to data.

CVE-2026-49058
Critical

LoginPress Pro versions up to 6.2.2 contain a vulnerability allowing unauthenticated privilege escalation.

CVE-2026-48875
Critical

There is an unauthenticated SQL Injection vulnerability in JetSmartFilters versions up to 3.8.1.

CVE-2026-48797
Critical

The Backpropagate library in versions 1.1.0 and 1.1.1 has a vulnerability that allows access to the user interface without authentication. This enables attackers to upload data, trigger training runs, and access models without any security.

CVE-2026-48781
Critical

Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, an attacker could exploit a vulnerability in the Skool integration to forge a SUPERADMIN session, allowing impersonation of arbitrary organizations.

CVE-2026-48745
Critical

The Traccar Client app, used for GPS tracking, is vulnerable in versions 9.7.19 and below to an attack that allows hijacking GPS tracking parameters via a crafted deep link. Such a link can change the app's configuration without confirmation, redirecting telemetry data to an attacker-controlled server.

CVE-2026-48616
Critical

Rocket.Chat versions below 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 have an access control vulnerability in Livechat files. The authorization process for downloading protected files does not verify that rc_rid matches the requested file, allowing unauthenticated discovery of all uploaded files.

CVE-2026-48055
CriticalEPSS 53%

In Streambert versions 2.4.0 and prior, a Zip Slip vulnerability was identified in the subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing for path traversal attacks and writing arbitrary files to the host filesystem.

CVE-2026-42380
Critical

AI Lab versions below 5.4.2 are vulnerable to unauthenticated PHP object injection.

CVE-2026-40783
Critical

Versions of Blocksy Companion Pro up to 2.1.37 have a vulnerability allowing remote code execution (RCE) by unauthorized users.

PreviousPage 26 of 554Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS