CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-13601
High

A flaw was found in Yelp due to an overly permissive Content Security Policy (CSP) in yelp-xsl. A malicious Flatpak application can open crafted help content via the OpenURI portal, embedding an untrusted CSS stylesheet within a structured SVG document to bypass Flatpak's sandbox isolation and disclose arbitrary user-readable host files through remote CSS resource requests.

CVE-2026-13555
High

A SQL injection vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_users/controller.php?action=add. Manipulation of the Name argument allows remote SQL injection. The exploit has been made public, increasing attack risk.

CVE-2026-13553
High

A flaw in Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=add allows unrestricted file upload via the image argument. This can lead to remote code execution. The exploit has been published and may be used.

CVE-2026-13552
High

A SQL injection vulnerability was found in the Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=edit. An attacker can remotely manipulate the amen_id argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-22078
High

The vulnerability in O+ Connect's IPC service stems from a lack of client authentication. External applications can escalate privileges and perform sensitive actions through the IPC channel.

CVE-2026-13551
High

A SQL injection vulnerability has been found in itsourcecode Baptism Information Management System 1.0 in the /editBaptism.php file. An attacker can remotely manipulate the ID argument, leading to SQL injection. The exploit has been publicly disclosed.

CVE-2026-13550
High

A SQL injection vulnerability has been found in itsourcecode Baptism Information Management System 1.0 in the file /delbaptism.php. An unknown function mishandles the ID argument, allowing remote exploitation. The exploit is publicly available and could be used in attacks.

CVE-2026-13547
High

A vulnerability was found in Hanwang e-Face General Management Platform 6.3.5.4, allowing unrestricted file upload. The issue affects the /manage/resourceUpload/upload.do endpoint, where manipulation of the File argument enables remote upload of arbitrary files. The exploit has been publicly disclosed and may be used.

CVE-2026-13546
High

A missing authentication vulnerability was found in Feehi CMS up to version 2.1.1 in the REST API endpoint /api/articles. The attack can be performed remotely without authentication, and exploit details are publicly available.

CVE-2026-13545
HighEPSS 72%

A vulnerability was found in D-Link DCS-935L camera firmware version 1.10.01, allowing OS command injection. The issue resides in the sub_400E40 function of the setconf.cgi file, where the UID argument is mishandled by the POST Parameter Handler component. The attack can be launched remotely, and exploit details are publicly available.

CVE-2026-13539
High

A stack-based buffer overflow vulnerability was found in Wavlink WL-NU516U1-A firmware M16U1_V240425 in the sub_407504 function of /cgi-bin/wireless.cgi. Manipulation of the Guest_ssid argument in the POST Parameter Handler allows remote code execution. The exploit is publicly available.

CVE-2026-10083
High

The APCu Manager WordPress plugin before version 4.5.0 fails to escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. Cache keys derived from unsanitized user input (e.g., a transient name created by an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

CVE-2025-2902
High

An improper authorization vulnerability has been discovered in the maintenance utility of Hitachi Virtual Storage Platform systems. This flaw allows unauthorized access to maintenance functions, potentially compromising data integrity and confidentiality.

CVE-2026-13528
High

A path traversal vulnerability was found in ruoyi-vue-pro up to version 2026.04-jdk8-SNAPSHOT in the generateUploadPath function of FileServiceImpl.java. An attacker can remotely manipulate the file path, leading to unauthorized access to resources.

CVE-2026-13527
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the file /preview4.php. An unknown function improperly handles the course_year_section argument, allowing an attacker to inject SQL code. The attack can be launched remotely and exploit details have been publicly disclosed.

CVE-2026-13526
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_class.php file via the ID parameter. The attack can be performed remotely and the exploit has been published.

CVE-2026-13521
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0/5.php in the file /preview5.php. An attacker can remotely manipulate the course_year_section argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-13519
High

A vulnerability was found in Tenda JD12L firmware version 16.03.53.23, involving a stack-based buffer overflow in the fromNatStaticSetting function of the /goform/NatStaticSetting file. An attacker can remotely manipulate the page argument, causing a buffer overflow. The exploit has been made public and could be used.

CVE-2026-13518
High

A stack-based buffer overflow vulnerability was discovered in Tenda JD12L firmware version 16.03.53.23 within the fromAddressNat function of the /goform/addressNat file. An attacker can remotely exploit this by manipulating the page argument. Exploit details have been publicly disclosed.

CVE-2026-13517
High

A stack-based buffer overflow vulnerability has been found in Tenda JD12L firmware version 16.03.53.23 in the formWifiBasicSet function of the /goform/WifiBasicSet file. An attacker can remotely exploit this flaw by manipulating the security_5g argument, potentially leading to arbitrary code execution.

PreviousPage 33 of 3331Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS