CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-12786
High

A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to version 9.76, affecting some unknown functionality in the library bootpt64.sys of the Kernel Driver component. Manipulation leads to improper access controls.

CVE-2026-12784
High

A weakness has been identified in IM-Magic Partition Resizer up to version 7.9.0, affecting an unknown function in the MDA_NTDRV.sys library of the Kernel Driver component. This manipulation causes improper access controls.

CVE-2026-12782
High

A security flaw has been discovered in EaseUS Partition Master up to version 14.5, concerning an unknown function in the library EUEDKEPM.sys of the Kernel Driver component. Manipulation of this flaw results in improper access controls.

CVE-2026-12781
High

A vulnerability was identified in EaseUS Partition Master up to version 14.5, concerning an unknown function in the library epmntdrv.sys of the Kernel Driver component. Manipulation leads to improper access controls.

CVE-2026-12780
High

A vulnerability was detected in AOMEI Backupper up to version 8.3.0, concerning an unknown function in the library amwrtdrv.sys of the Kernel Driver component. Executing a manipulation can lead to improper access controls.

CVE-2026-12779
High

A vulnerability was found in AOMEI Dynamic Disk Manager up to version 10.10.1, affecting some unknown processing in the library ddmdrv.sys of the Kernel Driver component. Manipulating this element results in improper access controls.

CVE-2026-12778
High

A vulnerability has been found in AOMEI Partition Assistant up to version 10.10.1, affecting unknown code in the library ampa10.sys of the Kernel Driver component. Such manipulation leads to improper access controls.

CVE-2026-12775
High

A vulnerability was detected in Montodel House-Rental-Management affecting the /login.php file. Manipulation of the Username argument leads to SQL injection, allowing for remote attack execution.

CVE-2026-12773
High

A weakness has been identified in BerriAI litellm up to version 1.59.8 in the UserAPIKeyAuth function of the MCP Proxy component. Manipulation can lead to improper authentication, and the attack can be launched remotely.

CVE-2026-56345
High

AVideo through version 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint. An attacker can exploit a crafted file upload to gain access to any user's session, including admin.

CVE-2026-56341
High

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records.

CVE-2026-56340
High

A vulnerability in vLLM versions 0.10.2 through 0.12.9 stems from missing sparse tensor validation in multimodal embeddings processing. Since PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices when the prompt-embeds feature is enabled, leading to crashes, resource exhaustion (denial of service), and potential out-of-bounds/write-what-where memory corruption.

CVE-2020-37255
High

The WordPress Time Capsule Plugin version 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.

CVE-2026-11912
High

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to and including 6.3.7. This allows unauthenticated attackers to delete and modify files on the server.

CVE-2026-11911
HighEPSS 51%

The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to and including 6.3.7. This allows unauthenticated attackers to delete arbitrary files on the server.

CVE-2026-9843
High

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to and including 1.5.1. This allows unauthenticated attackers to delete arbitrary files on the server.

CVE-2026-56216
High

Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits.

CVE-2026-56215
High

Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses. The SSO provisioning endpoint trusts this address as an account-merge key.

CVE-2026-56214
High

Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key.

CVE-2026-56082
High

Capgo before version 12.128.2 contains an improper access control vulnerability in the PostgREST RPC function public.record_build_time, which is accessible to the anon role and callable with the public anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations, allowing them to modify existing usage/billing records.

PreviousPage 77 of 3332Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS