CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability was found in SimplePHPscripts Funeral Script PHP 3.1, rated as problematic. It affects some unknown functionality of the file /preview.php of the URL Parameter Handler component, leading to cross site scripting attacks.
A vulnerability was found in SimplePHPscripts FAQ Script PHP 2.3, affecting an unknown functionality of the file /preview.php in the URL Parameter Handler component. The manipulation leads to cross site scripting.
A vulnerability was found in Active It Zone Active eCommerce CMS version 6.5.0, allowing cross-site scripting (XSS) attacks through manipulation of the 'details' argument in the /ecommerce/support_ticket file. Inputting the script <script>alert(1)</script> can lead to unauthorized code execution.
A vulnerability was found in Onest CRM 1.0, classified as problematic. It affects an unknown part of the file /admin/project/update/2 of the component Project List Handler, where manipulation of the argument name with the input <script>alert(1)</script> leads to cross-site scripting.
CometBFT has a deadlock issue caused by a modification in the serialization of the `PeerState` structure to JSON in versions 0.34.28 and 0.37.1. The deadlock can occur when calling the MarshallJSON function, leading to node halting or blocking one of the communication channels when invoking the RPC `dump_consensus_state`.
Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allow an attacker to craft a task token with access to a namespace other than the one specified in the request. This requires the namespace UUID and information from the workflow history for the target namespace.
A vulnerability was found in RocketSoft Rocket LMS 1.7 affecting unknown code in the /contact/store file of the Contact Form component. Manipulation of the arguments name/subject/message leads to cross site scripting.
A vulnerability was found in SimplePHPscripts GuestBook Script 2.2, classified as problematic. It affects an unknown part of the file preview.php of the component URL Parameter Handler, leading to cross-site scripting attacks.
A vulnerability was found in SimplePHPscripts Event Script 2.1, affecting some unknown functionality of the file preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting.
A vulnerability has been found in SimplePHPscripts Simple Blog 3.2, affecting an unknown functionality of the file preview.php in the URL Parameter Handler component. The manipulation leads to cross site scripting.
A vulnerability was found in SimplePHPscripts Classified Ads Script 1.8, affecting an unknown functionality of the file user.php of the HTTP POST Request Handler component. Manipulation of the argument title leads to cross-site scripting.
A vulnerability was found in SimplePHPscripts Classified Ads Script 1.8, classified as problematic. Manipulation of the argument 'p' in the /preview.php file leads to cross-site scripting.
Xpdf version 4.04 can deadlock when processing a PDF object stream whose 'Length' field is in another object stream.
SpiceDB, a Google Zanzibar-inspired database system, has an issue with negative authorization decisions using the `LookupResources` request in version 1.22.0. Users may incorrectly gain access to resources that should be blocked.
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
Improper access control exists in the GitHub repository admidio/admidio prior to version 4.2.9.
A vulnerability classified as problematic has been found in SourceCodester Game Result Matrix System 1.0. Manipulation of the argument del_name in the file /dipam/save-delegates.php leads to cross site scripting.
A vulnerability was found in SourceCodester Online School Fees System 1.0 that allows cross-site scripting (XSS) attacks through manipulation of the doj parameter in the /paysystem/datatable.php file. The attack can be launched remotely.
Flask-AppBuilder is an application development framework that prior to version 4.3.2 had a vulnerability allowing an authenticated attacker with Admin privileges to trigger a database error by adding a special character in the add or edit User forms. This error could expose the entire user row, including the pbkdf2:sha256 hashed password.
A vulnerability was found in SourceCodester Resort Management System 1.0 that leads to cross-site scripting (XSS) attacks through manipulation of the 'page' argument. The attack can be launched remotely.

