CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to and including 1.9.14. The issue arises from the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed.
Nginx UI, a web user interface for the Nginx web server, prior to version 2.3.8, exposed a backup restore endpoint (POST /api/restore) that was completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker could upload a crafted backup archive that overwrote the application's configuration file and SQLite database.
The WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary due to insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters, leading to persistent payloads stored in NVRAM.
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the reboot_time function of the adm.cgi binary. This allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter.
The WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary. This allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions.
The WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary, allowing unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter.
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
n8n is a workflow automation platform that prior to versions 1.123.32, 2.17.4, and 2.18.1 was vulnerable to an unauthenticated attacker registering a malicious OAuth client. After authorization by the victim, a malicious script could be executed in the victim's browser session.
Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter. Attackers can supply a URL to a malicious Python file, leading to the download and execution of attacker-controlled code.
OpenC3 COSMOS prior to version 7.0.0-rc3 allows users to execute Python and Ruby scripts from the openc3-COSMOS-script-runner-api container. This enables bypassing API permissions checks and performing administrative actions, including modifying data in the Redis database.
In versions from 6.7.0 to before 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of OpenC3 COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input, allowing arbitrary SQL commands to be executed.
The Note Mark note-taking application in version 0.19.2 has a vulnerability where the IsPasswordMatch function in the backend uses a hard-coded bcrypt("null") password for users without stored passwords. OIDC-registered users are created with an empty password, allowing anyone to obtain a valid session by submitting password: "null" to the internal login endpoint.
In Apache Iceberg, changing the `write.metadata.path` property in a table registered in a Polaris-managed catalog can bypass the storage location revalidation mechanism. This allows for potential unauthorized changes to the table's metadata.
Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket.
Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns.
Apache Polaris can issue broad temporary ('vended') storage credentials during staged table creation before the effective table location has been validated or durably reserved. An attacker can choose a reachable target location, leading to unauthorized access to table data and metadata.
D-Link DIR-456U Hardware Revision A1 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot, allowing access to a root shell with full administrative control.
D-Link DIR-600L Hardware Revision A1 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot with the default username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir600l'.
D-Link DIR-600L Hardware Revision B1 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot with the username 'Alphanetworks' and the static password 'wrgn61_dlwbr_dir600L'.
D-Link DIR-605L Hardware Revision B2 contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot with the username 'Alphanetworks' and the static password 'wrgn76_dlwbr_dir605L'.

