CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
There is an unauthenticated local file inclusion vulnerability in Skyward versions <= 1.10.
Versions of Granola <= 1.13 are vulnerable to unauthenticated local file inclusion, which may lead to the exposure of sensitive data.
Versions of Gamic <= 1.15 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to system files.
There is a vulnerability in Preservation <= 1.10 that allows unauthenticated local file inclusion.
Versions of SweetDate Core below 1.1.5 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
In versions of the Entrepreneur - Booking for Small Businesses WordPress theme up to 3.1.3, there is a PHP Object Injection vulnerability related to subscribers.
CVE-2025-69128 describes an improper limitation of a pathname to a restricted directory, allowing Path Traversal in the EMV JobCareer application. This issue affects JobCareer versions from n/a through 7.3.
There is a vulnerability in Fortius <= 2.3.0 versions that allows unauthenticated local file inclusion.
Versions of Snow Club up to 1.1 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to system files.
There is an unauthenticated local file inclusion vulnerability in Dazzle <= 1.0.0 versions.
The LuxMed | Medicine & Healthcare Doctor WordPress theme versions up to 1.2.2 are vulnerable to unauthenticated local file inclusion. An attacker can exploit this vulnerability to gain access to sensitive data on the server.
There is an unauthenticated local file inclusion vulnerability in Imba versions up to 1.5.0.
Versions of Avante below 3.0.5 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, allowing an attacker to reset a user's password by sending a one-time password to an attacker-controlled email address.
The WP Media folder plugin in versions <= 4.0.1 has a vulnerability allowing unauthenticated arbitrary file download.
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitize a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
The weMail: Email Marketing plugin for WooCommerce WordPress before version 2.1.3 improperly processes user-supplied parameters, allowing for Reflected Cross-Site Scripting (XSS) attacks against authenticated users.
A vulnerability related to the use of hard-coded credentials in various Mitsubishi Electric products, such as air conditioners and ventilation devices. An attacker within Wi-Fi range can access the device using a hard-coded SSID and password.
Falang multilanguage versions up to 1.4.2 contain a vulnerability that allows subscribers to escalate privileges.
Versions of Melhor Envio up to 2.16.3 contain a vulnerability in the subscriber authentication mechanism, which may lead to unauthorized access.

