CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.16)

CVE-2026-0685
Critical

Server side template injection (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.

CVE-2025-11919
Critical

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath, leading to arbitrary code execution during JVM startup.

CVE-2023-20572
Medium

An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing the input of an arbitrary message, potentially leading to a loss of data integrity.

CVE-2023-20540
Low

An observable timing discrepancy in the ASP could allow a privileged attacker to perform a brute-force attack against the hash message authentication code, allowing arbitrary message input, potentially leading to a loss of data integrity.

CVE-2026-9699
Medium

The vulnerability in Mattermost Plugins versions up to 11.6, 10.18.11, 11.3.6, and 11.6.5.0 fails to sanitize error responses from the OpenAI API before logging, allowing a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures.

CVE-2026-57667
High

The Groundhogg plugin for WordPress versions 4.5 and earlier contains an SQL injection vulnerability in the Sales Representative module. An attacker can exploit this flaw to execute unauthorized database queries.

CVE-2026-57665
Medium

An Insecure Direct Object References (IDOR) vulnerability in GravityView versions up to 3.0.0 allows an unauthenticated attacker to access private data. The flaw is due to missing permission checks on object references.

CVE-2026-57664
Medium

The vulnerability in the Bopo – WooCommerce Product Bundle Builder plugin version 1.1.6 and earlier allows unauthenticated attackers to access sensitive data. The flaw is due to insufficient protection of API endpoints or data exposure mechanisms.

CVE-2026-57663
High

The Recipe Maker For Your Food Blog plugin by Zip Recipes version 8.2.7 and earlier contains a Contributor SQL Injection vulnerability.

CVE-2026-57662
High

SQL Injection vulnerability in the Contributor component of Contest Gallery plugin up to version 30.0.0. Allows an attacker to manipulate database queries through improperly sanitized input.

CVE-2026-57661
Medium

The WPComplete plugin versions up to 2.9.5.5 contain a vulnerability involving broken access control by a subscriber. A user with the subscriber role can gain unauthorized access to functions intended for higher roles.

CVE-2026-57660
Medium

The Booking and Rental Manager plugin version 2.7.1 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to booking and rental management functions.

CVE-2026-57659
High

The Paid Memberships Pro - Add Member From Admin plugin version 0.7.2 and earlier is vulnerable to unauthenticated Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to perform unauthorized actions in the context of an administrator without requiring an authenticated session.

CVE-2026-57658
Critical

The vulnerability allows an administrator to arbitrarily upload files in TemplateSpare versions up to and including 4.2.0. An attacker with administrator privileges can upload a malicious file to the server.

CVE-2026-57657
Medium

The Gmail SMTP plugin version 1.2.3.19 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions in the context of a logged-in administrator.

CVE-2026-57656
Medium

Cross Site Scripting (XSS) vulnerability in Hester Core versions up to 1.1.8. Allows an attacker to inject malicious JavaScript code into the page, potentially leading to session theft or user redirection.

CVE-2026-57655
High

The vulnerability allows an unauthenticated attacker to perform a Cross-Site Request Forgery (CSRF) in the Child Theme Wizard plugin version 1.4 and earlier. The attack can lead to unauthorized changes in the plugin configuration without the administrator's knowledge.

CVE-2026-57654
Medium

The Affiliates Manager plugin version 2.9.49 and earlier suffers from a broken access control vulnerability for affiliates. This allows unauthorized users to perform actions they should not have permission to.

CVE-2026-57653
High

The WP Job Portal plugin version 2.5.2 and earlier contains a SQL injection vulnerability in the Contributor module. This allows an attacker to manipulate database queries.

CVE-2026-57652
Medium

An IDOR vulnerability in JS Help Desk versions up to 3.1.0 allows an unauthenticated attacker to directly access objects such as tickets or customer data by manipulating request parameters.

PreviousPage 279 of 4700Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS