CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability was found in Edimax EW-7478APC version 1.04, allowing OS command injection via the rootAPmac argument in the formiNICbasic function. The attack is remotely exploitable and the exploit is publicly available.
A security vulnerability has been detected in Edimax EW-7478APC 1.04, where the formAccept function in /goform/formAccept of the POST Request Handler component is vulnerable to OS command injection via the submit-url argument. The attack can be performed remotely, and the exploit has been publicly disclosed.
A cross-site scripting vulnerability was found in itsourcecode Online Hotel Management System 1.0 in the file /admin/mod_room/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote injection of malicious scripts. The exploit is publicly available.
A cross-site scripting vulnerability was found in itsourcecode Online Hotel Management System 1.0. An unknown part of the file /admin/mod_users/controller.php?action=edit in the POST Request Handler component allows manipulation of the Name argument, leading to script execution. The attack can be performed remotely and the exploit has been publicly disclosed.
A cross-site scripting vulnerability was found in Online Hotel Management System 1.0 in the file /admin/mod_amenities/controller.php?action=add. Manipulation of the Name argument in a POST request allows remote script injection. The exploit has been disclosed.
Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function. An unauthenticated attacker can trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value.
A path traversal vulnerability was found in spice-vdagent. It allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. The issue occurs because the filename provided by the SPICE host during file transfers is not properly sanitized.
An integer overflow vulnerability was found in spice-vdagent. A malicious or compromised SPICE host can send a crafted message, leading to a heap buffer overflow and crash of the spice-vdagent daemon. This results in a Denial of Service (DoS) for the virtual machine.
The Simple User Avatar plugin for WordPress contains an authorization bypass vulnerability through a user-controlled key. This allows exploiting incorrectly configured access control security levels.
A heap use-after-free vulnerability was found in the libblkid library of util-linux. During nested partition probing, a cached pointer to a parent partition entry becomes stale after array reallocation, allowing an attacker to read freed memory.
A security flaw in CodeAstro Complaint Management System 1.0 allows remote authorization bypass via the deletereport function in Report.php. The exploit is publicly available.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the /doctortimings.php file. Remote attackers can manipulate the editid argument to inject SQL code. The exploit is publicly available.
The F4 Post Tree WordPress plugin before version 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.
A vulnerability has been found in Feehi CMS up to version 2.1.1 in the file /api/users of the API component. Unknown functionality of this file causes improper access controls, allowing remote attacks. The exploit has been published and may be used.
A vulnerability was found in Documenso up to version 2.11.0 in the Google OAuth Login component. An unknown function in handle-oauth-callback-url.ts leads to improper authentication. The attack can be launched remotely but is difficult to exploit due to high complexity.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /doctorprofile.php file. An attacker can remotely manipulate the doctorname argument, leading to SQL injection. The exploit has been publicly disclosed.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /doctorchangepassword.php file. Manipulating the newpassword argument allows remote exploitation. The exploit is publicly available, increasing the risk of attacks.
A server-side request forgery (SSRF) vulnerability has been discovered in GitBucket up to version 4.46.1 in the Git.cloneRepository.setURI function. Manipulating the url argument in RepositoryCreationService.scala allows remote exploitation. The exploit is public, and applying a patch is recommended.
Information exposure vulnerability in Hitachi Storage Navigator. This flaw affects multiple Hitachi Virtual Storage Platform models before specific DKCMAIN and SVP software versions.
A command injection vulnerability was found in Wavlink WL-NU516U1-A firmware version M16U1_V240425. The issue is in the sub_401D68 function of the /cgi-bin/wireless.cgi file, where the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters are improperly handled. Remote exploitation is possible, and the exploit has been publicly disclosed.

