CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-13536
Medium

A cross-site scripting vulnerability was found in GotoHTTP up to version 10.2 in the /reg.12x file via the sn parameter. The attack can be performed remotely and the exploit details have been publicly disclosed.

CVE-2026-13535
Medium

A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the GetFileInfo function of Employee_model.php. Manipulating the ID argument in the view endpoint allows remote attack. The exploit has been published and may be used.

CVE-2026-13534
Medium

In CherryHQ cherry-studio up to version 1.9.7, a vulnerability was found in the sha256 function of the MemoryService.ts file in the CherryIN Preload API component. Manipulation of the state argument leads to authorization bypass.

CVE-2026-13533
Medium

A security vulnerability in Cockpit CMS up to version 0.12.2 affects the Spyc::YAMLLoad function in the /config/config.yaml file of the htaccess Handler component. This manipulation leads to unauthorized access to files or directories. The attack can be launched remotely and the exploit has been publicly disclosed.

CVE-2026-13532
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the file /departmentDoctor.php. An attacker can remotely manipulate the deptid argument, leading to unauthorized database access. The exploit has been made public, increasing the risk of attacks.

CVE-2026-13531
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /department.php file. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit has been publicly released.

CVE-2026-13530
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentdetail.php. An attacker can remotely manipulate the editid argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-13529
Medium

A SQL injection vulnerability was found in YzmCMS up to version 7.5 in the file /application/install/index.php. The attack involves manipulating the siteurl argument and can be executed remotely, though it is considered difficult to exploit. The exploit has been publicly disclosed.

CVE-2026-13525
Medium

A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the emselectByCode function of Employee_model.php. The attack manipulates the emid argument in the Update_Earn_Leave endpoint. It can be exploited remotely and the exploit is publicly available.

CVE-2026-13524
Medium

A vulnerability was found in CherryHQ cherry-studio up to version 1.9.6 in the MCP OAuth Local Callback Server component. Manipulation of the 'code' argument in callback.ts leads to improper authorization. The attack can be initiated remotely but is considered difficult to exploit.

CVE-2026-13522
Medium

A security flaw has been discovered in SlimPDFReader up to version 2.0.14 in the function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 of SlimPDFReader.exe. Manipulation leads to an out-of-bounds read. The attack can be initiated remotely.

CVE-2026-13520
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentapproval.php. The Appointment Handler component improperly handles the editid argument, allowing SQL injection. The attack can be performed remotely and the exploit has been publicly disclosed.

CVE-2026-13513
Medium

A security flaw was discovered in MyScale MyScaleDB up to version 1.8.0 in the SegmentId::getCacheKey function within src/VectorIndex/Common/SegmentId.h. It involves insufficient verification of data authenticity, allowing remote attacks with high complexity. The exploit has been published, and a fix is pending acceptance.

CVE-2026-13512
Medium

A vulnerability was found in Databend up to version 1.2.881 on HTTP. The ClientSessionManager::state_key function in client_session_manager.rs allows authorization bypass. The attack can be performed remotely and the exploit is publicly available.

CVE-2026-13509
Medium

A vulnerability was found in RAGapp up to version 0.1.5 in the FileHandler.upload_file/FileHandler.remove_file function in src/ragapp/backend/controllers/files.py. This flaw allows remote path traversal attacks.

CVE-2026-13508
Medium

A vulnerability was found in khoj-ai khoj up to version 2.0.0-beta.28 in the Conversation Sharing Handler function in src/khoj/routers/api_chat.py. Manipulation of the conversation.agent argument causes incorrect authorization, allowing remote exploitation without authentication.

CVE-2026-13507
Medium

A vulnerability was found in the Local VectorDB Primary-key Label Handler component of OpenViking up to version 0.3.21, where insufficient verification of data authenticity occurs when processing the ID argument in the str_to_uint64 function. The attack can be launched remotely but is highly complex and difficult to exploit.

CVE-2026-13503
Medium

A path traversal vulnerability was found in ANTLR4 up to version 4.13.2 in the getImportedVocabFile function of TokenVocabParser.java. The attack can be executed remotely and the exploit is publicly available.

CVE-2026-13502
Medium

A time-of-check time-of-use (TOCTOU) vulnerability has been found in ANTLR4 up to version 4.13.2 in the ObjectInputStream.readObject function of the GrammarDependencies.java file in the Maven Plugin component. The attack requires local access and is difficult to exploit, but an exploit has been published.

CVE-2026-13501
Medium

A vulnerability was found in ANTLR4 up to 4.13.2, affecting the GoTarget function in GoTarget.java. A local attacker can inject commands via the gofmt component, leading to unauthorized operations.

PreviousPage 31 of 519Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS