CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability has been found in Ezbsystems UltraISO Premium Edition up to version 9.76, affecting some unknown functionality in the library bootpt64.sys of the Kernel Driver component. Manipulation leads to improper access controls.
A weakness has been identified in IM-Magic Partition Resizer up to version 7.9.0, affecting an unknown function in the MDA_NTDRV.sys library of the Kernel Driver component. This manipulation causes improper access controls.
A security flaw has been discovered in EaseUS Partition Master up to version 14.5, concerning an unknown function in the library EUEDKEPM.sys of the Kernel Driver component. Manipulation of this flaw results in improper access controls.
A vulnerability was identified in EaseUS Partition Master up to version 14.5, concerning an unknown function in the library epmntdrv.sys of the Kernel Driver component. Manipulation leads to improper access controls.
A vulnerability was detected in AOMEI Backupper up to version 8.3.0, concerning an unknown function in the library amwrtdrv.sys of the Kernel Driver component. Executing a manipulation can lead to improper access controls.
A vulnerability was found in AOMEI Dynamic Disk Manager up to version 10.10.1, affecting some unknown processing in the library ddmdrv.sys of the Kernel Driver component. Manipulating this element results in improper access controls.
A vulnerability has been found in AOMEI Partition Assistant up to version 10.10.1, affecting unknown code in the library ampa10.sys of the Kernel Driver component. Such manipulation leads to improper access controls.
A vulnerability was detected in Montodel House-Rental-Management affecting the /login.php file. Manipulation of the Username argument leads to SQL injection, allowing for remote attack execution.
A weakness has been identified in BerriAI litellm up to version 1.59.8 in the UserAPIKeyAuth function of the MCP Proxy component. Manipulation can lead to improper authentication, and the attack can be launched remotely.
AVideo through version 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint. An attacker can exploit a crafted file upload to gain access to any user's session, including admin.
AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records.
A vulnerability in vLLM versions 0.10.2 through 0.12.9 stems from missing sparse tensor validation in multimodal embeddings processing. Since PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices when the prompt-embeds feature is enabled, leading to crashes, resource exhaustion (denial of service), and potential out-of-bounds/write-what-where memory corruption.
The WordPress Time Capsule Plugin version 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to and including 6.3.7. This allows unauthenticated attackers to delete and modify files on the server.
The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to and including 6.3.7. This allows unauthenticated attackers to delete arbitrary files on the server.
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to and including 1.5.1. This allows unauthenticated attackers to delete arbitrary files on the server.
Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits.
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses. The SSO provisioning endpoint trusts this address as an account-merge key.
Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key.
Capgo before version 12.128.2 contains an improper access control vulnerability in the PostgREST RPC function public.record_build_time, which is accessible to the anon role and callable with the public anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations, allowing them to modify existing usage/billing records.

