CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A heap-based buffer overflow vulnerability was found in Open Asset Import Library Assimp up to version 5.4.3 in the Assimp::SceneCombiner::Copy function. Manipulating width/height arguments triggers the overflow.
The Kali Forms plugin for WordPress up to version 2.4.13 is vulnerable to Stored XSS via the 'meta[kaliforms_field_components]' parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary scripts that execute when a user visits the compromised page.
UltraVNC repeater up to version 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.
UltraVNC repeater up to version 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. On first run, when settings2.txt is absent, it writes the password "adminadmi2" for the admin user. The Basic-auth handler lacks rate-limiting or lockout, allowing a remote attacker to easily gain full control of the repeater configuration.
UltraVNC viewer up to version 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. The 4-byte reasonLen field (CARD32) is passed as reasonLen+1 to CheckBufferSize(), where a value of 0xFFFFFFFF overflows to 0, allocating only 256 bytes, followed by reading 4 GiB into that buffer. This is reachable without authentication via rfbConnFailed and rfbVncAuthFailed message types.
UltraVNC viewer up to version 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. When the server supplies a desktop name of exactly 2024 bytes, ReadString writes a null terminator one byte past the allocated buffer, causing a stack overflow.
UltraVNC up to version 1.8.2.2 uses weak cryptography in the MS-Logon II authentication scheme. The Diffie-Hellman key exchange relies on 64-bit parameters that can be broken in under a second, and the random number generator based on rand() with a time seed allows private key recovery within a minute. A network attacker can derive the shared DH key and decrypt the username and password.
A post-authentication out-of-bounds write vulnerability in UltraVNC repeater through version 1.8.2.2 exists in the allow/deny rule parser. The code writes a NUL terminator without clamping the length to the destination buffer size, potentially corrupting stack data.
UltraVNC repeater up to version 1.8.2.2 contains an integer overflow in the win_log() function during memory allocation for list nodes. An attacker can send a sufficiently long HTTP URI, leading to a heap buffer overflow, potentially allowing out-of-bounds write.
The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping.
The WP-BusinessDirectory plugin for WordPress up to version 4.0.1 contains an unauthenticated arbitrary file deletion vulnerability. Insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class allows an attacker to manipulate the _filename parameter and delete critical server files.
A stored cross-site scripting (XSS) vulnerability has been found in the Cargo extension for MediaWiki. The flaw is caused by improper input neutralization during web page generation. All versions before 3.9.1 are affected.
A CSRF vulnerability in the RedirectManager extension for MediaWiki allows an attacker to perform unauthorized actions on behalf of an authenticated user. The issue affects versions before 1.3.3.
UltraVNC repeater through version 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In webutils.c:817, the wi_uudecode() function checks if input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). Currently, the risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.
UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. The vncWc2Mb() function in rfb/dh.cpp:204 calls wcslen() on a caller-supplied WCHAR pointer without prior bounds check, potentially reading past the buffer.
UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. The vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand(), resulting in a seed space of approximately 31 bits determined by publicly observable values. An attacker can predict the challenge within seconds, enabling forgery or offline brute-forcing of responses.
The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping.
The WPBot – AI ChatBot plugin for WordPress up to version 8.4.9 is vulnerable to stored cross-site scripting via the 'conversation' parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when users access affected pages. The AJAX nonce required for saving is publicly exposed on every frontend page, removing practical exploitation barriers.
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress up to version 4.0.3 is vulnerable to authorization bypass. Unauthenticated attackers can access and export any visualizer chart, including those in draft, private, pending, future, or trash status, as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint.
The Tutor LMS plugin for WordPress up to version 3.9.13 inclusive is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title due to insufficient input sanitization and output escaping.

