CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The EventON plugin for WordPress up to version 5.0.11 is vulnerable to SQL injection via the 'search' parameter. Insufficient escaping and lack of query preparation allow unauthenticated attackers to append additional SQL queries, enabling extraction of sensitive database information if the 'Enable additional search queries' setting is enabled and at least one published event exists.
The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxonomy_include_children' parameter in all versions up to and including 3.4.1 due to insufficient input sanitization and output escaping.
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. An attacker can execute JavaScript code or inject a dynamic iframe into the victim's browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'.
An HTML injection vulnerability has been discovered in Intermark IT's WebControl CMS v3.5. An attacker can send an email containing malicious HTML code to a victim via the contact form. Exploitation requires sending a request with the 'nombreApellidos', 'dirección', and 'comentarios' parameters to '/processContact.do'.
A use-after-free vulnerability was found in the SSSD (System Security Services Daemon) PAM component responsible for YubiKey authentication. The flaw is caused by improper memory pointer handling, which can lead to a crash. A local attacker could exploit this by manipulating smartcard or YubiKey contents.
Raytha CMS is vulnerable to SQL Injection in the OData filter parsing pipeline. This allows a remote, unauthenticated attacker to execute arbitrary SQL statements against the underlying PostgreSQL database, leading to full database compromise, including credential extraction.
The vulnerability in PROMOD V is due to the use of insecure HTTP instead of HTTPS. The issue originates from the Digipede server lacking HTTPS support.
A vulnerability in Nokia MantaRay NM allows a local attacker with local admin privileges to escalate to full root privileges on the host. Successful exploitation results in root-level filesystem access and the ability to execute actions as root.
Nokia MantaRay is affected by an Improper Access Control vulnerability due to insufficient authorization in the API. An authenticated attacker can retrieve confidential information beyond their assigned privileges.
Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system.
The decode-uri-component library through version 0.4.1 is vulnerable to denial of service (DoS). The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
The vulnerability allows deserialization of untrusted data, which may enable an attacker to execute arbitrary code.
The Fluent Booking WordPress plugin before version 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint. Users with at least the Calendar Manager role can retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.
Multiple laser printers and MFPs implementing Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An attacker can exploit this flaw to execute arbitrary scripts in the browser of a user accessing Web Image Monitor.
The DGM3103SCT device from AVTECH Security Corporation contains an OS command injection vulnerability. A user who can log in to the web management console can execute arbitrary commands with root privileges.
RPG MAKER MV and MZ from Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. Loading a specially crafted save file may execute arbitrary OS commands.
A double free vulnerability has been found in libarchive's RAR5 reader. During processing of a specially crafted RAR5 archive, the filtered_buf pointer may become stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition.
Delta Electronics DVP12SE PLC exposes a Modbus TCP service without authentication or access control, allowing unauthenticated attackers to interact with security-sensitive PLC functions.
Delta Electronics DVP12SE PLCs are vulnerable to an unlimited resource allocation attack in their Modbus TCP service. The lack of limits or throttling can lead to resource exhaustion.
The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to and including 2.2.6. This allows authenticated attackers with subscriber-level access or higher to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

