CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Angular Expressions, used in the Angular.JS framework, prior to version 1.5.2, allowed an attacker to write a malicious expression that could escape the sandbox and execute arbitrary code on the system.
Grav is a file-based web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation.
Grav is a file-based web platform. Prior to version 2.0.0-beta.2, there was a Path Traversal vulnerability in the FormFlash core component, allowing unauthenticated attackers to manipulate the filesystem.
Grav is a file-based web platform. Prior to version 2.0.0-beta.2, an authenticated user with administrative privileges could achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the 'Direct Install' tool.
Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0 contain a use of hard-coded credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to filesystem access for the attacker.
The WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability. Attackers can exploit the AJAX fileupload action to upload malicious files, bypassing file type restrictions.
OpenCATS version 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
WordPress MStore API version 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server.
WordPress TheCartPress version 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler.
OpenCart version 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, passing an encoding name containing an embedded NUL byte to mb_convert_encoding() or related mbstring functions causes the code to incorrectly assume that strncasecmp() returning 0 means equal string lengths. This leads to an out-of-bounds read of global memory, potentially causing a crash or information disclosure.
PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6 contain a use-after-free vulnerability in the SOAP extension's object deduplication mechanism. Storing pointers to PHP objects in a global map without incrementing reference counts, combined with duplicate keys in an apache:Map node, leads to freed memory and potential remote code execution.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string.
ArchiveBox is a web archiving system that, in versions 0.8.6rc0 and prior, has a vulnerability in the /add/ endpoint. The config JSON field is merged into the crawl config without validation, allowing injection of arbitrary tool arguments, leading to remote code execution (RCE).
Pelican, a platform for creating data federations, has a privilege escalation vulnerability in the Web User Interface (WebUI) in versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2. This allows authenticated users to gain admin privileges under certain configurations.
In phpVMS, a PHP application for simulating airlines, prior to version 7.0.6, a critical vulnerability allowed unauthenticated access to a legacy import feature.
Versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2 of the auth library have an issue with mapping Patreon user accounts to a local identifier. All Patreon-authenticated users are treated as a single local user, leading to account mixing and potential privacy breaches.
Linkwarden prior to version 2.13.0 had a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function that allowed authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation.
Termix is a web-based server management platform that prior to version 2.1.0 did not sanitize or validate URL parameters and WebSocket message fields. This allows an authenticated attacker to inject arbitrary OS commands, leading to Remote Code Execution on managed servers.
In Sentry, from version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation. This vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance.

