CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.16)

CVE-2026-13559
High

A SQL injection vulnerability has been found in Real State Services 1.0 in the file /single-list_sale.php?action=add. Manipulating the ID argument allows remote exploitation. The exploit is publicly available, increasing the risk of attacks.

CVE-2026-13558
Low

A security flaw has been discovered in CodeAstro Complaint Management System 1.0, affecting the Report Handler component. Manipulation of the Report Title argument in the /report/addreport file leads to cross-site scripting (XSS). Remote exploitation is possible, and the exploit has been publicly released.

CVE-2026-57346
High

The Embed Privacy plugin for WordPress contains a path traversal vulnerability that allows an attacker to access files outside the restricted directory. The issue affects versions from 1.0.0 through 1.12.3.

CVE-2026-25707
High

A relative path traversal vulnerability in libzypp before 17.38.10 allows remote attackers to overwrite system files by processing malicious repository metadata. This can lead to denial of service or privilege escalation.

CVE-2026-13601
High

A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) in yelp-xsl. A malicious Flatpak application can open crafted help content via the OpenURI portal, embedding an untrusted CSS stylesheet within a structured SVG document. This allows bypassing Flatpak's sandbox isolation, enabling Yelp to evaluate local XML inclusions and disclose arbitrary user-readable host files through remote CSS resource requests.

CVE-2026-13557
Medium

A cross-site scripting vulnerability was found in itsourcecode Online Hotel Management System 1.0 in the file /admin/mod_room/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote injection of malicious scripts. The exploit is publicly available.

CVE-2026-13556
Medium

A cross-site scripting vulnerability was found in itsourcecode Online Hotel Management System 1.0. An unknown part of the file /admin/mod_users/controller.php?action=edit in the POST Request Handler component allows manipulation of the Name argument, leading to script execution. The attack can be performed remotely and the exploit has been publicly disclosed.

CVE-2026-13555
High

A SQL injection vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_users/controller.php?action=add. Manipulation of the Name argument allows remote SQL injection. The exploit has been made public, increasing attack risk.

CVE-2026-13554
Medium

A cross-site scripting vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote script injection. The exploit has been disclosed.

CVE-2026-13553
High

A flaw in Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=add allows unrestricted file upload via the image argument. This can lead to remote code execution. The exploit has been published and may be used.

CVE-2026-13552
High

A SQL injection vulnerability was found in the Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=edit. An attacker can remotely manipulate the amen_id argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-9267
Medium

Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function. An unauthenticated attacker can trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value.

CVE-2026-57966
Medium

A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system, as the filename provided by the host is not properly sanitized before use.

CVE-2026-57965
Medium

An integer overflow vulnerability was found in spice-vdagent. A malicious or compromised SPICE host can send a crafted message, leading to a heap buffer overflow and crash of the spice-vdagent daemon, resulting in a Denial of Service (DoS) for the virtual machine.

CVE-2026-57676
Medium

The Simple User Avatar plugin for WordPress contains an authorization bypass vulnerability through a user-controlled key. This allows exploiting incorrectly configured access control security levels.

CVE-2026-22078
High

The vulnerability in O+ Connect's IPC service stems from a lack of client authentication. External applications can escalate privileges and perform sensitive actions through the IPC channel.

CVE-2026-13595
Medium

A heap use-after-free vulnerability was found in the libblkid library of util-linux. During nested partition probing, a pointer to a parent partition entry becomes stale after array reallocation, allowing an attacker to read freed memory.

CVE-2026-13551
High

A SQL injection vulnerability has been found in itsourcecode Baptism Information Management System 1.0 in the /editBaptism.php file. An attacker can remotely manipulate the ID argument, leading to SQL injection. The exploit has been publicly disclosed.

CVE-2026-13550
High

A SQL injection vulnerability has been found in itsourcecode Baptism Information Management System 1.0 in the file /delbaptism.php. An unknown function mishandles the ID argument, allowing remote exploitation. The exploit is publicly available and could be used in attacks.

CVE-2026-13549
Medium

A security flaw in CodeAstro Complaint Management System 1.0 allows remote authorization bypass via the deletereport function in Report.php. The exploit is publicly available.

PreviousPage 302 of 4738Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS