CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-58521
Critical

An SQL injection vulnerability in the Cargo extension for MediaWiki allows an attacker to inject malicious SQL code. The issue affects versions before 1.43.9, 1.44.6, and 1.45.4.

CVE-2026-58520
Medium

An open redirect vulnerability in the UrlShortener extension for MediaWiki allows Cross-Site Flashing attacks. Affected versions are before 1.43.9, 1.44.6, and 1.45.4.

CVE-2026-57737
Medium

The Shortcodes and extra features plugin for the Phlox theme contains a DOM-Based XSS vulnerability due to improper input neutralization during web page generation.

CVE-2026-57736
High

An insertion of sensitive information into sent data vulnerability in HubSpot allows retrieval of embedded sensitive data. This issue affects HubSpot from n/a through 11.3.51.

CVE-2026-57723
High

A CSRF vulnerability in VikBooking Hotel Booking Engine & PMS allows an attacker to perform operations leading to Path Traversal. This issue affects all versions up to and including 1.8.12.

CVE-2026-57722
Medium

The Enable Media Replace WordPress plugin contains a stored Cross-Site Scripting (XSS) vulnerability due to improper input neutralization during page generation. This affects versions from n/a through 4.2.1.

CVE-2026-54428
High

A vulnerability in the HTTP/2 HPACK decoder in Apache HttpComponents Core (versions 5.4.2 and earlier, 5.5-beta1 and earlier) allows a remote attacker to cause denial of service via memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.

CVE-2026-51946
Medium

SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the __sort_type URL parameter on all /admin/info/{table} endpoints.

CVE-2026-49091
High

CWE-117 vulnerability in Kibana allows injection of unsanitized data into logs. An attacker can supply specially crafted input that is written to log files without proper neutralization. When logs are viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.

CVE-2026-49090
Medium

CVE-2026-49090 in Elasticsearch allows a denial of service (DoS) via uncontrolled resource consumption. An authenticated user can submit a specially crafted bulk request causing sustained high CPU usage, rendering the affected node unable to process requests.

CVE-2026-46680
High

In containerd prior to versions 1.7.32, 2.0.9, 2.2.4, and 2.3.1, containers with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This allows bypassing the Kubernetes runAsNonRoot restriction if a crafted image maps this large numeric string to root in /etc/passwd, causing the container to run as root (UID 0).

CVE-2026-58454
High

JAIOTlink C492A-W6 Wi-Fi IP cameras with firmware 4.8.30.57701411 contain a remote code execution vulnerability. An authenticated attacker can write a malicious script to persistent JFFS2 storage and trigger execution via an HTTP endpoint, achieving persistent control over the device.

CVE-2026-58453
CriticalEPSS 74%

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain hard-coded credentials that allow network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

CVE-2026-58452
HighEPSS 82%

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain an OS command injection vulnerability. An authenticated attacker can achieve remote code execution by supplying a malicious Wireless parameter to the HTTP PUT NetSDK/Factory SetMAC endpoint.

CVE-2026-57721
Medium

The ApplyOnline WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects versions from n/a through 2.6.7.6.

CVE-2026-57720
Medium

The ThumbPress WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects all versions from n/a through 6.3.2.

CVE-2026-57516
High

Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader. Attackers can achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function, which unconditionally calls pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code in Ray remote workers.

CVE-2026-56152
Medium

CVE-2026-56152 in Elastic Defend is caused by incorrect authorization (CWE-863), leading to unauthorized information disclosure. A low-privileged authenticated user can, under certain conditions, access response action data they are not authorized to view.

CVE-2026-56151
Medium

CVE-2026-56151 in Kibana is an improper input validation vulnerability (CWE-20) that allows an authenticated user to submit a specially crafted Fleet policy input, causing a denial of service (DoS) via input data manipulation (CAPEC-153). This attack renders Fleet agent, server, and policy management functionality unavailable.

CVE-2026-56150
Medium

A vulnerability in Fleet Server allows an attacker to send a specially crafted request to an upload endpoint, causing excessive memory consumption and potentially leading to a denial of service (DoS).

PreviousPage 50 of 4518Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS