CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57236
High

Vulnerability in the Nokogiri library (versions prior to 1.19.4) for Ruby. Calling Document#encoding= with an invalid encoding (e.g., non-string or containing a null byte) frees the current encoding string without replacing it. Subsequent calls to Document#encoding read freed memory, potentially causing a segfault or leaking freed bytes into a Ruby String. Affects only the CRuby (libxml2) implementation; JRuby is not affected.

CVE-2026-57235
High

Vulnerability in the Nokogiri library for Ruby allows out-of-bounds memory read via the Nokogiri::XML::NodeSet#[] method (and its alias #slice). The issue stems from incorrect bounds checking where the index is truncated to 32 bits before validation, allowing a very large negative index to pass the check and read outside allocated memory. On CRuby this causes process crashes, on JRuby it returns an incorrect node.

CVE-2026-46735
High

Dell Display and Peripheral Manager (DDPM Mac) versions prior to 2.3 contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability, allowing a low privileged attacker with local access to potentially execute commands.

CVE-2026-56122
High

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences. Attackers can traverse outside the webroot directory, potentially exposing sensitive data.

CVE-2026-56071
High

Versions of Forminator up to 1.53.1 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-56054
High

In JS Help Desk versions <= 3.1.1, there is a vulnerability that allows subscribers to delete arbitrary files.

CVE-2026-56053
High

PHP Object Injection vulnerability in EventPrime plugin versions up to 4.3.4.1 allows subscribers to inject malicious PHP objects. This can lead to remote code execution or other unauthorized actions on the server.

CVE-2026-56051
High

The TablePress plugin for WordPress versions 3.3.1 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without requiring authentication.

CVE-2026-56049
High

Post Snippets versions up to 4.0.19 contain a remote code execution (RCE) vulnerability, allowing attackers to execute unauthorized code on the server.

CVE-2026-56042
High

There is a Cross Site Scripting (XSS) vulnerability in Advanced Order Export For WooCommerce versions <= 4.0.9 that can be exploited by attackers to inject malicious code.

CVE-2026-56014
High

The Master Slider plugin versions up to 3.11.2 contain an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code without authentication.

CVE-2026-56006
High

Versions of H5P up to 1.17.6 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-56005
High

The WP Activity Log plugin versions up to 5.6.3.1 contain a Cross Site Scripting (XSS) vulnerability that can be exploited by subscribers.

CVE-2026-54848
High

The vulnerability in APIExperts Square for WooCommerce allows the insertion of sensitive information into sent data, enabling retrieval of that data later.

CVE-2026-54845
High

The vulnerability allows an unauthenticated attacker to include arbitrary local files on the server in MDTF plugin versions up to and including 1.3.8.

CVE-2026-54844
High

The CheckView Automated Testing plugin version 2.1.0 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to testing features without authentication.

CVE-2026-54842
High

Missing Authorization in Royal Plugins Royal MCP allows exploiting incorrectly configured access control security levels. This issue affects Royal MCP from n/a through 1.4.25.

CVE-2026-54841
High

Versions of Vitepos up to 3.4.2 have a vulnerability that allows unauthorized access to sensitive data.

CVE-2026-54838
High

Versions of WC Vendors Marketplace up to 2.6.8 are vulnerable to SQL Injection attacks by subscribers.

CVE-2026-54830
High

The Five Star Restaurant Reservations plugin version 2.7.19 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to reservation functions without required authentication.

PreviousPage 37 of 3319Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS