CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-41124
Low

A path traversal vulnerability in Dell PowerProtect Data Domain allows a high-privileged attacker with local access to bypass path restrictions and potentially disclose sensitive information.

CVE-2026-41123
Medium

Dell PowerProtect Data Domain versions 7.7.1.0 through 8.6, LTS2026 release 8.6.1.0 through 8.6.1.10, LTS2025 release 8.3.1.0 through 8.3.1.30, and LTS2024 release 7.13.1.0 through 7.13.1.70 contain an improper access control vulnerability in RBAC. A low privileged attacker with remote access could exploit this vulnerability to tamper with information.

CVE-2026-26355
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-50238
Unknown

This CVE has been rejected by Red Hat Product Security as not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.

CVE-2026-13341
High

A vulnerability in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0 allows a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

CVE-2026-10055
High

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.

CVE-2026-10054
High

In Eclipse Theia versions 1.8.1 and later, the browser backend exposes privileged terminal RPC over WebSocket without service-level authentication. WebSocket origin validation is fail-open, allowing an attacker to execute arbitrary OS commands via terminal takeover.

CVE-2026-5137
Medium

The RTMKit (rometheme-for-elementor) plugin for WordPress up to version 2.0.7 is vulnerable to Local File Inclusion (LFI). This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization.

CVE-2026-4322
Medium

The Destekz plugin from Raera - Ankara Web Design and Digital Advertising Agency contains a reflected XSS vulnerability due to improper input neutralization during page generation. This affects versions up to 02062026, and the product is no longer supported by the vendor.

CVE-2026-4321
Critical

An SQL injection vulnerability in Destekz by Raera - Ankara Web Design and Digital Advertising Agency allows an attacker to inject malicious SQL code. The issue affects all versions up to 02062026. The vendor confirmed the product is no longer supported.

CVE-2026-9756
Medium

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.

CVE-2026-4804
Medium

The Zakra theme for WordPress up to version 4.2.0 is vulnerable to Stored Cross-Site Scripting. The lack of sanitization for post meta fields (zakra_menu_item_color, zakra_menu_item_hover_color, zakra_menu_item_active_color) via the REST API allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts that execute when users visit the affected page.

CVE-2026-47896
High

A Path Traversal vulnerability in the Apache Lucene.Net.Replicator library allows unrestricted file reading outside the restricted directory. Affected versions are from 4.8.0-beta00005 through 4.8.0-beta00017.

CVE-2026-35159
Medium

A vulnerability in Dell Client Platform BIOS allows authentication bypass due to a primary weakness. An unauthenticated attacker with physical access could potentially exploit this flaw, leading to information disclosure.

CVE-2026-11900
Medium

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress up to version 2.8.16 is vulnerable to Insecure Direct Object Reference (IDOR) via the 'data' attribute of the [adinserter] shortcode. The replace_ai_tags() function processes a {reusable-block-N} tag pattern that calls get_post_field('post_content', N) without verifying user capabilities with current_user_can('read_post'), without restricting the post type to 'wp_block', and without checking the post status. This allows authenticated attackers with Contributor-level access and above to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users, by placing the shortcode in a post they own and previewing it.

CVE-2026-11778
Medium

The CURCY – Multi Currency for WooCommerce plugin for WordPress up to version 2.2.14 is vulnerable to arbitrary shortcode execution by unauthenticated attackers. This is due to insufficient validation before passing a value to the do_shortcode function.

CVE-2026-11398
Medium

The LatePoint plugin for WordPress, up to version 5.6.1, has an authorization bypass vulnerability. Unauthenticated attackers can modify personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including administrator accounts, by submitting the booking form with a known email address. Exploitation requires guest bookings to be enabled.

CVE-2026-9230
Medium

The Quiz and Survey Master (QSM) plugin for WordPress up to version 11.1.4 is vulnerable to authorization bypass. Authenticated attackers with contributor-level access or higher can modify quizzes they do not own, overwrite result pages, and redirect notification emails to attacker-controlled addresses.

CVE-2026-9148
High

The Comments – wpDiscuz plugin for WordPress up to version 7.6.56 is vulnerable to Stored Cross-Site Scripting. This is due to insufficient output escaping in the getCommentAuthor() function, which interpolates the stored comment_author_url value directly into single-quoted HTML attributes without applying esc_url() or esc_attr(). Unauthenticated attackers can inject arbitrary web scripts that execute whenever a user accesses an injected page.

CVE-2026-8804
Medium

A vulnerability in Puppet resource_api (shipped with Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) fails to preserve the sensitive flag on parameters defined via the resource-api, causing values like passwords to be stored in cleartext in the agent's local transaction state cache.

PreviousPage 9 of 4400Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS