CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-47367
Critical

An Improper Input Validation vulnerability in UID Enterprise Agent allows a malicious actor with network access and low privileges to exploit it for Command Injection on the host device.

CVE-2026-47365
Critical

CVE-2026-47365 is an argument injection vulnerability in WordPress Toolkit before version 6.11.0, as used in cPanel and WHM. It allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

CVE-2026-45060
Critical

ClipBucket v5 is an open source video sharing platform that was vulnerable to blind SQL injection in the actions/progress_video.php endpoint prior to version 5.5.3 - #129. Unauthenticated users could exploit the ids parameter to execute SQL queries and exfiltrate sensitive data.

CVE-2026-42846
Critical

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, the Remote Play feature allowed adding videos by importing an external URL, leading to arbitrary command execution due to improper URL handling.

CVE-2026-49060
Critical

The Hippoo Mobile App for WooCommerce has a vulnerability related to incorrect privilege assignment, allowing privilege escalation.

CVE-2026-42647
CriticalEPSS 90%

CVE-2026-42647 describes an improper neutralization of special elements used in SQL commands, leading to the possibility of Blind SQL Injection attacks in the Beardev JoomSport application.

CVE-2026-39494
Critical

The SQL Injection vulnerability in the Product Filter by WBW allows for Blind SQL Injection attacks. This issue affects versions from n/a through 3.1.2.

CVE-2026-12027
Critical

Inappropriate implementation in Headless in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2026-41005
Critical

Cloud Foundry UAA incorrectly treated XML encryption as a substitute for XML signatures in two SAML flows, potentially allowing unsigned assertions containing encrypted content to be accepted. This issue occurs when wantAssertionSigned is set to false.

CVE-2026-49973
Critical

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction.

CVE-2026-47174
Critical

In Duck Site before version 1.0.1, there is a vulnerability related to the deployment process that can be triggered by malicious code in a pull request. An attacker can exploit this flaw to deploy a malicious Docker image to production without merging the code.

CVE-2026-47172
Critical

Quest Bot is a modern Discord bot that prior to version 1.0.3 had a privileged deployment process. An attacker could exploit a pull request from the main branch, allowing the deployment of malicious code in a privileged context.

CVE-2026-45177
Critical

Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request, potentially leading to a bypass of identity verification.

CVE-2026-49261
CriticalEPSS 58%

A vulnerability in MariaDB Server allows execution of arbitrary shell commands embedded in the joiner node name when `wsrep_notify_cmd` is enabled. Affected versions range from 10.6.1 to 12.3.1.

CVE-2026-9648
Critical

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees.

CVE-2026-11839
Critical

A vulnerability in Rotaban by Başarsoft Information Technologies Inc. allows unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server.

CVE-2026-38581
Critical

CVE-2026-38581 is an SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 that allows remote attackers to execute arbitrary SQL commands via the idFormMain and id parameters in the ezform.php file.

CVE-2026-7852
Critical

The LimRAD NAC system by Limatek System Inc. has a vulnerability allowing unrestricted upload of files with dangerous types, enabling Remote Code Inclusion.

CVE-2026-11561
Critical

CVE-2026-11561 describes an improper neutralization of special elements used in expression language statements, allowing for code injection in Apinizer software by Soagen Informatics Technologies Software and Consulting Inc.

CVE-2026-4764
Critical

CVE-2026-4764 describes a Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform. This allows an authenticated user with specific roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import.

PreviousPage 43 of 556Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS