CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.
A vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 causes a mismatch in handling encoded slashes (%2F) between the middleware and Fastify's router. An attacker can bypass middleware used for authentication, authorization, rate limiting, or auditing by sending a crafted request with an encoded slash in the parameter position.
Vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 causes Node.js process termination when processing malformed percent-encoded sequences in request paths. The issue only affects the standalone engine API (middie.run), not the Fastify plugin path.
A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
The LatePoint plugin for WordPress up to version 5.6.3 is vulnerable to privilege escalation to Administrator due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function and missing role verification in OsAuthHelper::authorize_customer(). An authenticated attacker with Agent-level access can overwrite any customer's email, including one linked to an Administrator account, and then log in as that user.
The NEX-Forms plugin for WordPress up to version 9.2.2 is vulnerable to Stored Cross-Site Scripting via the '_name[]' array parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary scripts that execute when a user accesses the affected page.
The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in versions up to and including 9.1.13.005 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts.
Missing Authorization vulnerability in Woffice allows exploiting incorrectly configured access control security levels. This issue affects Woffice versions before 5.4.33.
The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL injection via the 's' parameter in all versions up to and including 2.4.5 due to insufficient escaping and lack of query preparation. This allows authenticated attackers with custom-level access or higher to append additional SQL queries to existing ones.
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to and including 1.8.12 due to insufficient input sanitization and output escaping.
The vulnerability in CGI::Session::ID::md5 for Perl before version 4.49 generates predictable session IDs from low-entropy sources. The generate_id method builds the session ID from an MD5 digest of the process ID, epoch time, and the built-in rand() function, all of which are predictable.
An OS command injection vulnerability exists in SkyBridge MB-A100/MB-A110 devices. The issue is caused by improper neutralization of special elements used in OS commands.
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'no_data_msg' shortcode attribute in all versions up to and including 3.3.60 due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when a user visits an injected page.
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to and including 4.4.0. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when users visit the affected page.
The DVP80ES3 device contains a vulnerability due to an improperly implemented security check for the standard. This could allow an attacker to bypass security mechanisms.
The DVP80ES3 device has a vulnerability due to improper enforcement of message integrity during transmission in a communication channel. This allows an attacker to modify transmitted data without detection.
The vulnerability in DVP80ES3 involves improper resource shutdown or release, which can lead to memory leaks or other performance issues.
The Motors – Car Dealership & Classified Listings plugin for WordPress up to version 1.4.111 is vulnerable to authorization bypass. An authenticated attacker with subscriber-level access can mark or unmark any other user's car listing as sold by replaying a valid nonce from their own listing.
The Slim SEO plugin for WordPress up to version 4.9.8 contains a vulnerability allowing unauthorized disclosure of private content. The issue is in the REST API endpoint `/wp-json/slim-seo/meta-tags/ai`, which does not properly verify user permissions to read a specific post, enabling authenticated attackers with Contributor-level access or higher to retrieve summaries of any post's content, including private, draft, pending, future, and password-protected posts.
The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via the update_capabilities REST Endpoint in all versions up to and including 5.0.4. The lack of allowlist validation allows authenticated attackers with Vendor-level access or higher, when the Vendor Staff module is enabled, to grant arbitrary WordPress capabilities, including administrator, to vendor_staff accounts, leading to full site takeover.

