CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2026-9804
High

A path traversal vulnerability was found in KubeVirt's virt-exportserver component. An attacker with namespace-level access can place a symbolic link in an exported PVC pointing outside its mount root, allowing arbitrary file reads from the exporter pod's filesystem.

CVE-2026-6226
High

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input.

CVE-2026-9227
High

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to and including 2.20.1 due to a flawed filename validation. Authenticated attackers with author-level access can upload executable files, enabling remote code execution.

CVE-2026-7862
High

The Eupago Gateway plugin for WooCommerce before version 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials.

CVE-2026-7797
High

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to and including 1.6.11.8. The issue arises from insufficient escaping of the user-supplied parameter and lack of proper preparation of the existing SQL query.

CVE-2026-7634
High

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'User-Agent' header in all versions up to and including 5.4.11 due to insufficient input sanitization and output escaping. This allows attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page.

CVE-2026-7052
High

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'file_upload' parameter in all versions up to and including 2.8.2 due to insufficient input sanitization and output escaping.

CVE-2026-6455
High

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function.

CVE-2026-44604
High

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it.

CVE-2026-9009
High

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to and including 2.7.2 via the filter_content function. The issue arises from the lack of sanitization of the 'callback_raw' attribute, allowing authenticated attackers to execute dangerous PHP functions.

CVE-2026-9795
High

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can assign any realm role, including highly privileged ones, to a client's scope mapping. This bypasses security controls and injects the role into a user's authentication token.

CVE-2026-7802
High

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 3.29.2. This is due to improper verification of user permissions, allowing authenticated attackers to modify administrator data.

CVE-2026-32997
High

Podatność umożliwia uwierzytelnionemu użytkownikowi z rolą Administratora Kopii Zapasowej zapisanie dowolnych plików na serwerze Veeam Backup & Replication działającym na systemie Linux.

CVE-2026-32996
High

Ta podatność w Veeam Agent dla systemu Microsoft Windows umożliwia lokalne podniesienie uprawnień.

CVE-2026-32995
High

Metoda autoTranslate.translateMessage w Rocket.Chat w wersjach <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8 i <7.10.12 akceptuje obiekt IMessage dostarczony przez klienta i przekazuje go bezpośrednio do translateMessage() bez sprawdzania Meteor.userId() ani weryfikacji członkostwa w pokoju. Każdy uwierzytelniony użytkownik DDP może odczytać treść dowolnej wiadomości po ID z dowolnego pokoju.

CVE-2026-2374
High

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 1.8.0. The issue arises from the `authenticate()` function storing unsanitized data in the `login_nocaptcha_error` option during login attempts from a non-standard login page.

CVE-2026-9789
High

A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL).

CVE-2026-8915
High

Podatność typu out-of-bounds write w Samsung Open Source Escargot umożliwia przepełnienie buforów. Problem dotyczy wersji Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31.

CVE-2026-46414
High

Framework Microsoft UFO w wersji 3.0.1-4-ge2626659 ma problem z zaufaniem do pól tożsamości i roli dostarczanych przez klienta w wiadomościach zadań. Klient może zarejestrować się jako normalne urządzenie, a następnie wysłać wiadomość TASK, podszywając się pod wyższą rolę 'constellation', co prowadzi do przejęcia zadań przez atakującego.

CVE-2026-46402
High

Framework open-source Microsoft UFO do inteligentnej automatyzacji na różnych urządzeniach i platformach w wersji 3.0.1-4-ge2626659 wykorzystuje wartość task_name kontrolowaną przez użytkownika bezpośrednio przy tworzeniu ścieżek logów sesji. Uwierzytelniony klient może dostarczyć sekwencje przejścia ścieżki w task_name, co pozwala na tworzenie katalogów logów i plików logów poza zamierzonym katalogiem logs/.

PreviousPage 272 of 3404Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS