CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-6577
Critical

CVE-2025-6577 describes an improper neutralization of special elements used in SQL commands, leading to SQL injection vulnerability in Akilli Commerce Software. This issue affects the E-Commerce Website versions before 4.5.001.

CVE-2025-40949
Critical

A vulnerability in RUGGEDCOM ROX allows an authenticated remote attacker to inject commands into the task scheduler via the Web UI. Lack of proper input sanitization enables arbitrary command execution with root privileges.

CVE-2026-34263
Critical

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution.

CVE-2026-34260
Critical

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization.

CVE-2026-45321
CriticalActively exploited

W dniu 11 maja 2026 roku opublikowano 84 złośliwe wersje w 42 pakietach @tanstack/* w rejestrze npm. Atakujący wykorzystał trzy znane klasy podatności, aby opublikować złośliwe oprogramowanie kradnące dane uwierzytelniające pod zaufaną tożsamością.

CVE-2026-43900
Critical

In DeepChat, prior to version 1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. An attacker can exploit this vulnerability to execute arbitrary JavaScript by manipulating SVG elements.

CVE-2026-43899
Critical

DeepChat prior to version 1.0.4-beta.1 is vulnerable to an arbitrary protocol execution bypass, potentially leading to remote code execution (RCE). The issue arises from improper sanitization of Electron pop-up window handlers, allowing an attacker to intercept a malicious URL.

CVE-2026-42882
Critical

In versions prior to 5.0.0, s3-proxy contains an authentication bypass due to inconsistent URL path interpretation between the authentication middleware and the bucket handler. This vulnerability allows unauthenticated attackers to access protected S3 namespaces.

CVE-2026-42869
Critical

In versions prior to 0.1.57, SOCFortress CoPilot contained a hardcoded JWT signing secret, allowing attackers to forge admin-scoped tokens. If JWT_SECRET is not set, all authentication tokens are signed with this publicly known key.

CVE-2026-42864
Critical

The FireFighter incident management application has a vulnerability that allows access to the POST /api/v2/firefighter/raid/jira_bot endpoint without authentication. This enables unauthorized users to coerce the fetching of arbitrary URLs and submit them as attachments to Jira tickets.

CVE-2026-43995
Critical

Flowise is a drag & drop user interface to build customized large language model flows. In versions prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients, creating a security vulnerability.

CVE-2026-38567
Critical

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization.

CVE-2026-7813
Critical

Authorization vulnerability in pgAdmin 4 server mode allows access to private objects of other users without proper filtering. An authenticated user could access another user's private servers, server groups, and background processes by guessing object IDs.

CVE-2026-44643
Critical

Angular Expressions, used in the Angular.JS framework, prior to version 1.5.2, allowed an attacker to write a malicious expression that could escape the sandbox and execute arbitrary code on the system.

CVE-2026-42613
Critical

Grav is a file-based web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation.

CVE-2026-42608
Critical

Grav is a file-based web platform. Prior to version 2.0.0-beta.2, there was a Path Traversal vulnerability in the FormFlash core component, allowing unauthenticated attackers to manipulate the filesystem.

CVE-2026-42607
Critical

Grav is a file-based web platform. Prior to version 2.0.0-beta.2, an authenticated user with administrative privileges could achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the 'Direct Install' tool.

CVE-2026-40636
Critical

Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0 contain a use of hard-coded credentials vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to filesystem access for the attacker.

CVE-2021-47940
Critical

The WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability. Attackers can exploit the AJAX fileupload action to upload malicious files, bypassing file type restrictions.

CVE-2021-47936
Critical

OpenCATS version 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

PreviousPage 81 of 559Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS