CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-11358
Medium

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via admin settings in all versions up to and including 3.0.6 due to insufficient input sanitization and output escaping.

CVE-2026-11357
Medium

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 3.7.5. This allows authenticated attackers with contributor-level access and above to extract the site's connected Kadence account license key, license owner email, and other sensitive data from the browser console.

CVE-2026-10736
Medium

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to and including 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-10623
Medium

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.3.0 due to missing validation on the 'rule_id' parameter. This allows authenticated attackers with custom-level access and above to modify or delete quiz rules belonging to other teachers.

CVE-2026-10029
Medium

The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.3.13.1. This allows unauthenticated attackers to extract sensitive data such as virtual meeting URLs and location data.

CVE-2026-10023
Medium

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin is vulnerable to Insecure Direct Object Reference in all versions up to 5.0.3. The lack of ownership validation on the order ID key allows authenticated attackers to modify order statuses and add, delete, and modify order notes.

CVE-2026-54533
Medium

In versions prior to 5.0.0 of vantage6, malicious algorithms can potentially access other algorithms' input and output files. The issue is fixed in version 5.0.0.

CVE-2026-54445
Medium

In versions prior to 5.0.0 of the vantage6 software, the default user `root` with the password `root` poses a significant security risk. Attackers can easily gain access to the system as many vantage6 servers have this user with admin rights.

CVE-2026-50267
Medium

In Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0, TLS credentials are written to temporary files that are world-readable on Linux. These files are never deleted, creating a risk of sensitive information exposure.

CVE-2026-50202
Medium

In Steeltoe projects prior to versions 3.4.0 (CloudFoundryBase), 4.2.0 (JwtBearer), and 4.2.0 (OpenIdConnect), there is an issue with the JWT signing key cache. The `kid` is used as the sole cache key, which can lead to unauthorized token validation in applications with multiple `JwtBearer` schemes pointing to different identity providers.

CVE-2026-50201
Medium

Steeltoe prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0 have all actuator endpoints defaulting to `EndpointPermissions.Restricted`, which may lead to unauthorized access to sensitive data. Sensitive endpoints such as heap dump, environment, and thread dump are not properly secured.

CVE-2026-44646
Medium

In versions 10.25.7 and below, the LiquidJS template engine incorrectly propagates the ownPropertyOnly value from the parent context, leading to a silent bypass. As a result, developers may inadvertently expose prototype-chain properties in unsafe renders.

CVE-2026-44645
Medium

In versions 10.25.7 and below of the LiquidJS template engine, the renderLimit option can be fully bypassed by using an empty {% for %} or {% tablerow %} tag. This allows for unlimited rendering time consumption, potentially leading to DoS attacks.

CVE-2026-44644
Medium

LiquidJS, a template engine compatible with Shopify/GitHub Pages, has a vulnerability to XSS in versions 10.25.7 and below due to a flaw in the strip_html filter logic. This flaw allows bypassing HTML sanitization, enabling attackers to inject malicious code.

CVE-2026-12568
Medium

The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. A malicious workspace with a name containing path traversal characters may allow an attacker to write arbitrary files to the user's system.

CVE-2026-12565
Medium

The unarchive internal module does not perform validation on file paths during archive extraction, relying on external tools, which may lead to unauthorized system access. Specifically, on systems with GNU tar < 1.34, a malicious archive can write files outside the intended extraction directory.

CVE-2024-27928
Medium

In versions prior to 5.0.0 of the vantage6 software, an attacker who gains access to a user's email account can reset the password and the 2FA token via email, reducing security to a single authentication factor (email access). Version 5.0.0 fixes this issue.

CVE-2026-8049
Medium

W SignalRGB w wersjach starszych niż 1.3.7.0 obiekt urządzenia \.\SignalIo został utworzony bez jawnego deskryptora zabezpieczeń SDDL oraz bez flagi FILE_DEVICE_SECURE_OPEN. Powoduje to nadmiernie liberalną domyślną kontrolę dostępu, umożliwiając każdemu uwierzytelnionemu użytkownikowi lokalnemu uzyskanie uchwytu do urządzenia i wysyłanie uprzywilejowanych żądań IOCTL.

CVE-2026-54386
Medium

Marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript.

CVE-2026-48991
Medium

XianYuLauncher is a Minecraft Java Edition launcher, in versions prior to 1.5.5, there was a risk of exposing sensitive authentication artifacts during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation.

PreviousPage 88 of 533Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS