CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-39583
Critical

Versions of Datalogics Ecommerce Delivery up to 2.6.62 contain a vulnerability that allows unauthenticated privilege escalation.

CVE-2026-39530
Critical

There is an unauthenticated SQL injection vulnerability in SpeakOut! Email Petitions versions up to 4.6.5.

CVE-2026-39519
Critical

GeekyBot versions up to 1.2.0 are vulnerable to unauthenticated SQL injection, which may lead to unauthorized access to the database.

CVE-2026-39512
Critical

GeoDirectory versions up to 2.8.152 are vulnerable to unauthenticated SQL injection.

CVE-2026-39511
Critical

There is an unauthenticated SQL injection vulnerability in WP Photo Album Plus versions up to 9.1.08.001.

CVE-2026-39502
Critical

There is an unauthenticated SQL injection vulnerability in Form Maker by 10Web versions up to 1.15.38.

CVE-2026-39493
Critical

There is an unauthenticated SQL injection vulnerability in Simply Schedule Appointments versions up to 1.6.9.27.

CVE-2026-39492
Critical

There is an unauthenticated SQL injection vulnerability in WP Maps versions up to 4.9.1.

CVE-2026-39465
Critical

There is a remote code execution (RCE) vulnerability in Responsive Slider by MetaSlider versions up to 3.106.0. An attacker can exploit this flaw to execute arbitrary code on the server.

CVE-2026-39441
Critical

In Free <= 5.3 versions of the Feed KuantoKusta plugin for WooCommerce, there is an unauthenticated SQL injection vulnerability.

CVE-2026-34901
Critical

iControlWP versions up to 5.5.3 contain a vulnerability that allows unauthenticated privilege escalation.

CVE-2026-27053
Critical

In Broadcast Live Video versions below 7.1.3, there is a vulnerability to unauthenticated PHP object injection.

CVE-2026-50890
Critical

In version 4.6.0 of the grocy application, a SQL injection vulnerability was discovered in the product-group parameter at /stockreports/spendings. This allows attackers to access sensitive database information via a crafted SQL statement.

CVE-2026-50887
Critical

In version 5.0.1 of shlink, there is a Server-Side Request Forgery (SSRF) vulnerability in the automatic short URL title resolution component, allowing attackers to scan internal resources by supplying a crafted longUrl.

CVE-2026-50886
Critical

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.

CVE-2026-50883
Critical

An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.

CVE-2026-50880
Critical

An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.

CVE-2026-50873
Critical

Version 5.5.4 of flatnotes contains a vulnerability that allows arbitrary file uploads in the attachment handling component. Attackers can exploit this flaw to execute arbitrary code by uploading a crafted HTML or SVG file.

CVE-2026-50872
Critical

An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.

CVE-2026-50871
Critical

CVE-2026-50871 describes a vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 that allows attackers to execute arbitrary commands by supplying crafted input.

PreviousPage 39 of 556Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS