CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
NVIDIA Triton Inference Server contains a vulnerability that allows an attacker to bypass authentication. A successful exploit may lead to code execution, privilege escalation, data tampering, denial of service, or information disclosure.
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to and including 1.4.4. The 'easyel_handle_register' function does not restrict user roles, allowing unauthenticated attackers to assign the 'administrator' role during registration.
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory.
A missing authorization vulnerability in Drupal Date iCal allows for forceful browsing.
CtrlPanel is open-source billing software for hosting providers, which in versions 1.1.1 and prior is vulnerable to unauthenticated Remote Code Execution (RCE) due to improper install.lock checking. This allows an attacker to execute arbitrary commands on the server.
In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets, potentially leading to Heap Buffer Over-Read/Write. An attacker can exploit this by supplying crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access.
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
CVE-2026-36829 describes an authentication bypass vulnerability in the embedded HTTP server of the Panabit PAP-XM320 device up to and including version 7.7. The server validates session cookies based on a user-controlled value, allowing for directory traversal and bypassing authentication.
CVE-2026-37281 describes an OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before version 2.7.0, allowing remote attackers to execute arbitrary commands via the url parameter.
The vulnerability in APScheduler allows Remote Code Execution (RCE) via insecure deserialization in JSONSerializer and CBORSerializer classes. The unmarshal_object function enables arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment.
The API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. This allows unauthenticated remote attackers to leak all user records and modify drug inventory.
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body.
Version 0.1.13 of the scalar/astro library was found to contain a Server-Side Request Forgery (SSRF) vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs.
Version 0.1.13 of the scalar/astro library was found to contain an arbitrary file upload vulnerability in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code by uploading a crafted SVG file.
Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment.
A critical Remote Code Execution (RCE) vulnerability in the Glassfish server-side template rendering mechanism. The application processes .xml files and evaluates EL expressions without proper sanitization, allowing an attacker to fully compromise the host.
An authenticated Remote Code Execution (RCE) vulnerability was found in GlassFish's Administration Console. A user with panel access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user.
CVE-2026-8959 is a vulnerability due to incorrect boundary conditions in the Widget: Win32 component, allowing for sandbox escape. It has been fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

