CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability has been found in Intelliants Subrion CMS up to version 4.0.3. The issue affects some unknown functionality of the Blocks Endpoint component, where manipulation of the CSS class name leads to cross-site scripting.
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server.
The Store Locator WordPress plugin before version 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed.
OpenClaw before version 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.
ApostropheCMS is a Node.js content management system that has a vulnerability related to `prettyUrls` in versions up to 4.30.0. When this option is enabled, an attacker can exploit the `Host` header to send HTTP requests to any host on the private network.
A security flaw has been discovered in CodeAstro Human Resource Management System 1.0, affecting an unknown part of the file /Projects/Add_Projects of the Projects Management Page component. Manipulation of the argument protitle results in cross site scripting.
A vulnerability was identified in CodeAstro Human Resource Management System 1.0. The issue affects some unknown functionality of the file /dashboard/add_tod in the Dashboard Interface, where manipulation of the argument todo_data leads to cross-site scripting.
Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4 allowed bypassing the default file upload extension blocklist by appending a trailing dot to a filename. This enables attackers to upload files with dangerous MIME types, leading to potential XSS attacks.
A vulnerability was identified in Groww Stock, Mutual Fund, Gold App on Android, affecting an unknown part of the WebView URL Handler component. The manipulation leads to improper authorization in the handler for custom URL scheme.
Quest Bot is an open-source Discord bot that prior to version 1.1.6 did not suppress mentions when invoking the /warns command, potentially leading to mass pings of users.
The Secure Copy Content Protection and Content Locking WordPress plugin before version 5.1.5 does not sanitize and escape some of its settings, which could allow high privilege users such as admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Inappropriate implementation in Passwords in Google Chrome on Android prior to version 149.0.7827.115 allowed a remote attacker who compromised the renderer process to bypass site isolation via a crafted HTML page.
Inappropriate implementation in Extensions in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy. This allows attackers to compare provider aliases against aliases instead of canonical provider identities, potentially leading to unauthorized access to tools.
Quest Bot is an open-source Discord bot that prior to version 1.0.5 did not suppress mentions in several moderation commands. The /unban and /unwarn commands still echoed user-controlled reason text in public bot messages, which could lead to mass pinging.
Quest Bot is a modern Discord bot designed for moderation, utilities, and support. In versions prior to 1.0.4, several moderation commands echoed user-controlled reason text in public bot replies without disabling mention parsing.
A vulnerability in Axios, an HTTP client, allows for the injection of malicious data into the Proxy-Authorization header if the proxy object is polluted. The issue exists in versions from 1.15.2 to before 1.16.0, where the setProxy() function does not check object properties.
A vulnerability was identified in version 5.36.0 of the TwiN gatus component, concerning the setSessionCookie function in the security/oidc.go file. Manipulating this function can lead to sensitive cookies without the secure attribute.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an unauthenticated user could impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with developer-role permissions could hide changes from merge request diff views due to improper input handling of file names.

