CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The WPForms plugin for WordPress up to version 1.10.2 is vulnerable to CRLF Injection, allowing email header injection. The flaw occurs due to improper handling of the Reply-To display name, enabling unauthenticated attackers to inject arbitrary headers like Bcc into outgoing notification emails.
The Appointment Booking Calendar plugin for WordPress up to version 1.4.02 exposes sensitive information via the cpabc_appointments_filter_list parameter. This allows authenticated attackers with contributor-level access or higher to extract customer personal identifiable information such as names, email addresses, phone numbers, appointment comments, and other booking details.
The Taskbuilder plugin for WordPress up to version 5.0.8 is vulnerable to generic SQL injection via the 'task_search' parameter due to insufficient escaping and lack of query preparation. Authenticated attackers with subscriber-level access or higher can append malicious SQL queries.
The Taskbuilder plugin for WordPress is vulnerable to generic SQL injection via the 'wppm_proj_filter' parameter in versions up to 5.0.8. Insufficient escaping and lack of query preparation allow authenticated attackers (subscriber-level and above) to append additional SQL queries, enabling extraction of sensitive database information.
The LearnPress WordPress LMS plugin up to version 4.3.9.1 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'userId' parameter. An authenticated attacker with subscriber-level access or higher can view course enrollment progress and completion data belonging to instructors and administrators.
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.15.3. This is due to missing nonce validation on the give_set_notification_status_handler() function, allowing unauthenticated attackers to disable donation email notifications via a forged request.
The JetWidgets For Elementor plugin for WordPress up to version 1.0.21 is vulnerable to Stored Cross-Site Scripting (XSS). This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. Authenticated attackers with author-level access or higher can inject arbitrary web scripts that execute when a user visits an injected page.
In the Modem module, a vulnerability was found that allows privilege escalation through a permissions bypass. This can be exploited locally if the attacker already has System privileges. User interaction is not required for exploitation.
A memory corruption vulnerability due to a heap buffer overflow has been discovered in Telephony. This could lead to local escalation of privilege if an attacker already has System privileges. User interaction is not required for exploitation.
In the Modem module, there is a possible out-of-bounds write due to a missing bounds check. This could lead to remote denial of service if a UE connects to a rogue base station controlled by the attacker. No additional execution privileges or user interaction are needed for exploitation.
In the Modem module, there is a vulnerability leading to information disclosure due to improper input validation. An attacker can remotely disclose information if the user equipment (UE) connects to a rogue base station controlled by the attacker. No additional execution privileges or user interaction are required for exploitation.
A vulnerability in the Modem component allows remote denial of service due to improper input validation. An attacker can cause a system crash by using a rogue base station without requiring user interaction.
In the Modem module, a possible memory corruption due to a missing bounds check could lead to remote escalation of privilege if a UE connects to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not required for exploitation.
A vulnerability in the Modem component allows remote denial of service due to improper input validation. An attacker can cause a system crash by luring a UE to connect to a rogue base station.
An out-of-bounds heap write vulnerability exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR. The RecItems vector is sized only for the first .rev file, and subsequent files can supply a RecNum value not validated against the actual vector size. An attacker can craft a set of .rev files to write a controlled 32-bit value past the allocated buffer, corrupting adjacent heap objects.
The CRI plugin in containerd prior to versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may allow arbitrary command execution on the host via a plugin that consumes container labels for operations.
In runc prior to versions 1.3.6, 1.4.3, and 1.5.0, setupPtmx and setupDevSymlinks use filepath.Join with os.Remove and os.Symlink, allowing an image with /dev as a symlink to delete the ptmx file on the host or create symlinks in an arbitrary host directory. This is not exploitable under Docker, but other container tooling built on runc remains exposed.
A vulnerability in the Oj (Optimized JSON) library for Ruby prior to version 3.17.2 causes heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in the buf_append_string function leads to copying an astronomically large amount of data out of bounds.
The Oj (Optimized JSON) library for Ruby prior to version 3.17.2 has a Use-After-Free vulnerability in SAJ mode. The Oj::Parser does not protect cached object keys (≥35 bytes) from garbage collection, and a Ruby callback in hash_end can free the key memory while the C parser still holds a pointer. This causes a segfault, confirmed by RIP pointing to address 0x4242.
A Use-After-Free vulnerability was found in the Oj (Optimized JSON) library for Ruby in normal parser mode. The issue occurs when the garbage collector reclaims array_class and hash_class objects before they are used, leading to dereferencing freed memory and a segfault.

