CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open a specified URL.
The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL injection via the 's' parameter in all versions up to and including 4.3.5 due to insufficient escaping and lack of query preparation. This allows authenticated attackers with administrator-level access to append additional SQL queries.
The weDocs plugin for WordPress up to version 2.3.0 contains a stored XSS vulnerability via the 'connectorWidth' block attribute. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to inject arbitrary scripts that execute when a user visits an affected page.
The weDocs plugin for WordPress up to version 2.3.0 is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute whenever a user visits an affected page.
The weDocs plugin for WordPress up to version 2.3.0 has a missing authorization vulnerability in the do_migration() function. Authenticated attackers with Subscriber-level access can trigger a full data migration from BetterDocs to weDocs, creating and modifying 'docs' custom post type entries, updating site options, and deactivating BetterDocs and BetterDocs Pro plugins.
The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container.
The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.
Under exceptional circumstances, WatchGuard Fireware OS on a FireCluster may use a hard-coded encryption key to encrypt saved credentials for Access Portal resources. This vulnerability affects Fireware OS versions 12.1 up to 12.12 and 2025.1 up to 2026.2.
A stored XSS vulnerability in the SIP Proxy module of WatchGuard Fireware OS. Improper input neutralization allows injection of a malicious script that is stored on the server. This is an additional unmitigated attack path for CVE-2025-6947.
A Stored Cross-Site Scripting (XSS) vulnerability was found in the spamBlocker module of WatchGuard Fireware OS due to improper input neutralization during web page generation. This is an additional unmitigated attack vector for CVE-2025-1071.
Stored XSS vulnerability in the Autotask Technology Integration module of WatchGuard Fireware OS. This is an additional unmitigated attack path for CVE-2025-13938.
Stored XSS vulnerability in the ConnectWise Technology Integration module of WatchGuard Fireware OS. This is an additional unmitigated attack vector for CVE-2025-13937.
A Stored Cross-Site Scripting (XSS) vulnerability has been found in the Tigerpaw Technology Integration module of WatchGuard Fireware OS. An attacker can inject malicious JavaScript code into web pages, which will execute in other users' browsers. This is an additional unmitigated attack vector for the previously disclosed CVE-2025-13936.
A vulnerability in the Fireware Management Web UI allows an authenticated administrator to trigger a denial-of-service (DoS) condition by sending crafted data to the put_data endpoint, which performs unsafe deserialization of attacker-supplied input.
An improper access control vulnerability in Azure Synapse allows an authorized attacker to elevate privileges over a network. The issue affects authorization mechanisms in Microsoft's analytics service.
Forgejo before version 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers. The attack involves setting a full name with an HTML payload and triggering an Actions run, leading to script injection when the page is rendered.
AutoBangumi before version 3.2.8 contains a server-side request forgery (SSRF) vulnerability. Unauthenticated remote attackers can probe internal network services by supplying arbitrary host values to an unprotected setup endpoint.
LobeChat through version 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.
LobeChat up to version 2.2.9 contains a broken access control vulnerability in the RAG semantic search functionality. Authenticated attackers can access other users' data by exploiting missing user-identifier predicates in the chunk model semanticSearch method.
Taiga before version 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, bypassing permission checks and applying the AllowAny default, to pre-empt project administrators from initializing due dates.

