CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the Bluetooth Classic Hands-Free Profile (HFP) implementation in Zephyr OS, an out-of-bounds write vulnerability was found. During processing of AT+CIND: response from an Audio Gateway (AG) device, the cind_handle_values() function writes data to the ind_table[] array without verifying that the index does not exceed its size (20 elements). A remote, malicious or compromised Bluetooth peer can send a response with more than 20 entries, causing a write beyond the array and memory corruption.
The EMV JobBank has a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels.
There is an unauthenticated local file inclusion vulnerability in Line Agency versions <= 1.3.1.
Versions of Etude up to 1.6 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to system files.
There is an unauthenticated local file inclusion vulnerability in Eventicity versions <= 1.5.
Gunslinger versions up to 1.7 are vulnerable to unauthenticated local file inclusion.
There is an unauthenticated local file inclusion vulnerability in Skyward versions <= 1.10.
Versions of Granola <= 1.13 are vulnerable to unauthenticated local file inclusion, which may lead to the exposure of sensitive data.
Versions of Gamic <= 1.15 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to system files.
There is a vulnerability in Preservation <= 1.10 that allows unauthenticated local file inclusion.
Versions of SweetDate Core below 1.1.5 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
In versions of the Entrepreneur - Booking for Small Businesses WordPress theme up to 3.1.3, there is a PHP Object Injection vulnerability related to subscribers.
CVE-2025-69128 describes an improper limitation of a pathname to a restricted directory, allowing Path Traversal in the EMV JobCareer application. This issue affects JobCareer versions from n/a through 7.3.
There is a vulnerability in Fortius <= 2.3.0 versions that allows unauthenticated local file inclusion.
Versions of Snow Club up to 1.1 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to system files.
There is an unauthenticated local file inclusion vulnerability in Dazzle <= 1.0.0 versions.
The LuxMed | Medicine & Healthcare Doctor WordPress theme versions up to 1.2.2 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to sensitive data on the server.
There is an unauthenticated local file inclusion vulnerability in Imba versions up to 1.5.0.
Versions of Avante below 3.0.5 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, allowing an attacker to reset a user's password by sending a one-time password to an attacker-controlled email address.

