CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-12960
Medium

An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open a specified URL.

CVE-2026-12920
Medium

The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL injection via the 's' parameter in all versions up to and including 4.3.5 due to insufficient escaping and lack of query preparation. This allows authenticated attackers with administrator-level access to append additional SQL queries.

CVE-2026-12734
Medium

The weDocs plugin for WordPress up to version 2.3.0 contains a stored XSS vulnerability via the 'connectorWidth' block attribute. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to inject arbitrary scripts that execute when a user visits an affected page.

CVE-2026-12731
Medium

The weDocs plugin for WordPress up to version 2.3.0 is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute whenever a user visits an affected page.

CVE-2026-12729
Medium

The weDocs plugin for WordPress up to version 2.3.0 has a missing authorization vulnerability in the do_migration() function. Authenticated attackers with Subscriber-level access can trigger a full data migration from BetterDocs to weDocs, creating and modifying 'docs' custom post type entries, updating site options, and deactivating BetterDocs and BetterDocs Pro plugins.

CVE-2026-55726
Medium

The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container.

CVE-2026-54477
Medium

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks.

CVE-2026-13728
Medium

Under exceptional circumstances, WatchGuard Fireware OS on a FireCluster may use a hard-coded encryption key to encrypt saved credentials for Access Portal resources. This vulnerability affects Fireware OS versions 12.1 up to 12.12 and 2025.1 up to 2026.2.

CVE-2026-13377
Medium

A stored XSS vulnerability in the SIP Proxy module of WatchGuard Fireware OS. Improper input neutralization allows injection of a malicious script that is stored on the server. This is an additional unmitigated attack path for CVE-2025-6947.

CVE-2026-13376
Medium

A Stored Cross-Site Scripting (XSS) vulnerability was found in the spamBlocker module of WatchGuard Fireware OS due to improper input neutralization during web page generation. This is an additional unmitigated attack vector for CVE-2025-1071.

CVE-2026-13375
Medium

Stored XSS vulnerability in the Autotask Technology Integration module of WatchGuard Fireware OS. This is an additional unmitigated attack path for CVE-2025-13938.

CVE-2026-13374
Medium

Stored XSS vulnerability in the ConnectWise Technology Integration module of WatchGuard Fireware OS. This is an additional unmitigated attack vector for CVE-2025-13937.

CVE-2026-13373
Medium

A Stored Cross-Site Scripting (XSS) vulnerability has been found in the Tigerpaw Technology Integration module of WatchGuard Fireware OS. An attacker can inject malicious JavaScript code into web pages, which will execute in other users' browsers. This is an additional unmitigated attack vector for the previously disclosed CVE-2025-13936.

CVE-2026-13371
Medium

A vulnerability in the Fireware Management Web UI allows an authenticated administrator to trigger a denial-of-service (DoS) condition by sending crafted data to the put_data endpoint, which performs unsafe deserialization of attacker-supplied input.

CVE-2026-26145
Medium

An improper access control vulnerability in Azure Synapse allows an authorized attacker to elevate privileges over a network. The issue affects authorization mechanisms in Microsoft's analytics service.

CVE-2026-59102
Medium

Forgejo before version 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers. The attack involves setting a full name with an HTML payload and triggering an Actions run, leading to script injection when the page is rendered.

CVE-2026-59101
Medium

AutoBangumi before version 3.2.8 contains a server-side request forgery (SSRF) vulnerability. Unauthenticated remote attackers can probe internal network services by supplying arbitrary host values to an unprotected setup endpoint.

CVE-2026-59100
Medium

LobeChat through version 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.

CVE-2026-59098
Medium

LobeChat up to version 2.2.9 contains a broken access control vulnerability in the RAG semantic search functionality. Authenticated attackers can access other users' data by exploiting missing user-identifier predicates in the chunk model semanticSearch method.

CVE-2026-59097
Medium

Taiga before version 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, bypassing permission checks and applying the AllowAny default, to pre-empt project administrators from initializing due dates.

PreviousPage 4 of 489Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS