CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-54404
High

An SQL Injection vulnerability in UniFi OS allows an attacker with network access and low privileges to escalate privileges on affected UniFi OS devices or instances.

CVE-2026-54403
High

A Path Traversal vulnerability in devices running UniFi OS allows an attacker with network access to bypass authentication. The flaw affects specific UniFi OS devices or instances.

CVE-2026-54401
High

An SSRF vulnerability in UniFi OS allows an attacker with network access and low privileges to escalate privileges on the device or instance.

CVE-2026-12168
High

An improper validation vulnerability in the `GFAC_Sys_x64.sys` driver of Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port.

CVE-2026-12167
High

The vulnerability in the `GFAC_Sys_x64.sys` driver of Little Orbit GFAC allows a local attacker to access privileged driver functions through a Minifilter communication port that lacks proper access restrictions.

CVE-2026-58652
High

A privilege escalation flaw in luci-app-travelmate and the travelmate package allows a session with UCI write ACL to set arbitrary script and arguments, executed as root by the travelmate service. The UI restriction to /etc/travelmate/*.login is only frontend.

CVE-2026-57766
High

The WPIDE – File Manager & Code Editor plugin version 3.5.6 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions in the context of the site administrator.

CVE-2026-57765
High

The WP EasyCart plugin for WordPress versions 5.9.0 and earlier contains a SQL injection vulnerability via the 'contributor' attribute. This allows an attacker to manipulate database queries.

CVE-2026-57761
High

The SEOWP plugin version 3.12.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions without their knowledge.

CVE-2026-57759
High

The ProfileGrid plugin version 5.9.9.7 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.

CVE-2026-57758
High

The Permalink Manager for WooCommerce plugin version 1.0.8.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick a logged-in administrator into performing unintended actions without their knowledge.

CVE-2026-57757
High

The pCloud WP Backup plugin version 2.0.2 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can trick an administrator into performing unintended actions in the WordPress admin panel.

CVE-2026-57756
High

The nicen-localize-image plugin version 1.4.9 and earlier contains a SQL injection vulnerability in the Contributor component. This allows an attacker to manipulate database queries.

CVE-2026-57752
High

SQL Injection vulnerability in the Contributor component of iNET Webkit 1.2.4 allows an attacker to inject malicious SQL code into database queries.

CVE-2026-57751
High

The Heateor Social Login plugin version 1.1.39 and earlier contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. An attacker can exploit this flaw to perform unauthorized actions on behalf of an authenticated administrator.

CVE-2026-57749
High

The SportsPress Pro plugin version 2.7.29 and earlier contains a Contributor Local File Inclusion (LFI) vulnerability. This allows an attacker with contributor privileges to read sensitive files on the server.

CVE-2026-57748
High

The Shopify plugin version 1.0.0 and earlier contains a Local File Inclusion (LFI) vulnerability via the Contributor function. This allows an attacker to read sensitive files on the server.

CVE-2026-57746
High

The Booked plugin version 3.0.0 and earlier contains a broken access control vulnerability exploitable by subscribers. A subscriber can gain unauthorized access to functions intended for higher roles.

CVE-2026-57688
High

A vulnerability in POS Entegratör versions up to 3.7.103 allows unauthenticated attackers to bypass access controls. This means an attacker without valid credentials can gain unauthorized access to system functions or data.

CVE-2026-57687
High

The Custom Field Template plugin for WordPress versions 2.7.8 and earlier contains a Contributor SQL Injection vulnerability. An attacker with contributor privileges can inject malicious SQL queries into the database.

PreviousPage 9 of 3301Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS