CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-56046
Medium

Cross Site Scripting (XSS) vulnerability in ListingPro plugin versions up to 2.9.11, allowing subscriber-level users to inject malicious JavaScript code.

CVE-2026-56026
Medium

A Server Side Request Forgery (SSRF) vulnerability exists in the utm.codes plugin versions up to 1.9.0. It allows a Subscriber to send HTTP requests from the server to internal or external resources.

CVE-2026-52701
Medium

The User Registration plugin version 5.2.2 and earlier contains an unauthenticated broken access control vulnerability. An attacker without authentication can exploit this flaw to perform unauthorized actions.

CVE-2026-4339
Medium

A vulnerability in the Mattermost Agents plugin MCP server allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery (SSRF) by supplying internal URLs as file attachments in post creation requests. Affected versions are 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, and 11.5.x <= 11.5.6.

CVE-2026-45256
Medium

A vulnerability in the thr_kill2(2) function of FreeBSD allows sending a signal to any process without checking permissions. The missing verification of the p_cansignal() result enables an unprivileged user to send signals to processes owned by other users or root, as well as across jail boundaries.

CVE-2026-30040
Medium

A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.

CVE-2026-24547
Medium

The vulnerability in SiteGround Email Marketing plugin versions up to 1.7.5 allows unauthenticated attackers to bypass access control. Lack of required authentication enables unauthorized operations on plugin resources.

CVE-2025-68075
Medium

The BNE Testimonials plugin version 2.0.8 and earlier contains a Cross Site Scripting (XSS) vulnerability from contributors. This allows injection of malicious JavaScript code by content authors.

CVE-2025-68074
Medium

Cross Site Scripting (XSS) vulnerability in Image Carousel plugin versions up to 1.0.0.41 allows an attacker to inject malicious JavaScript code into the page. The flaw is due to insufficient input sanitization.

CVE-2025-66123
Medium

An Insecure Direct Object References (IDOR) vulnerability in BookPro version 1.1.0 and earlier allows an unauthenticated attacker to access resources they should not have permission to. The issue stems from a lack of authorization checks when directly referencing objects.

CVE-2025-64637
Medium

In Auros Core versions up to and including 5.3.1, there is an unauthenticated content injection vulnerability. An attacker without authentication can modify application content.

CVE-2025-64636
Medium

The Donation Thermometer plugin versions up to 2.2.7 contain an unauthenticated broken access control vulnerability. An attacker without authentication can gain unauthorized access to plugin functions.

CVE-2025-63079
Medium

The Live Copy Paste for Elementor plugin in versions 1.5.3 and below contains a vulnerability due to improper access control for contributors. This allows users with the contributor role to perform unauthorized actions.

CVE-2025-63078
Medium

The Restaurant Menu by MotoPress plugin in versions 2.4.11 and earlier contains a vulnerability related to broken access control by subscribers. Users with the subscriber role can gain unauthorized access to restaurant menu management functions.

CVE-2025-63041
Medium

The Forget About Shortcode Buttons plugin in versions 2.1.3 and below contains a vulnerability due to improper access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be reserved for higher roles.

CVE-2026-57925
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags.

CVE-2026-57924
Medium

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details.

CVE-2026-57923
Medium

In JetBrains YouTrack before 2026.2.16593, improper authorization in the app configurations endpoint allowed unauthorized modification of project settings.

CVE-2026-57921
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint.

CVE-2026-53914
Medium

In JetBrains Kotlin before version 2.4.20, a vulnerability was found that allows code execution via unsafe deserialization in the build cache metadata.

PreviousPage 52 of 536Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS