CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-54219
Medium

UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing.

CVE-2026-44942
Medium

A path traversal vulnerability in handling the 'path' component of .repo files in libzypp before version 17.38.13 in the 17.x series, or before 16.22.19, could allow attackers to fill directories on the system outside of the zypp cache with content.

CVE-2026-42490
Medium

CVE-2026-42490 vulnerability relates to the way the system acquires a lock for guest management operations in a Xen environment. When using XSM/Flask, the lock acquisition may occur before permission checks, creating a risk of unauthorized access.

CVE-2026-42489
Medium

CVE-2026-42489 concerns the lack of fairness in the way system-wide locks are acquired during domctl operations, which may lead to issues with parallel execution of these operations.

CVE-2026-12539
Medium

The vulnerability in Docker Sandboxes (sbx) is that the ICMP egress block is applied only at network creation time and is not re-applied to networks rebuilt from disk after a Docker daemon restart. Consequently, a sandbox that survives a restart can forward ICMP to arbitrary hosts.

CVE-2026-12527
Medium

The firmware of the V380 IP camera from Shenzhen Liandian Communication Technology LTD has a vulnerability related to a broken authorization boundary in the RTSP media delivery pipeline. This allows unauthenticated network actors to bypass the authentication process and directly access the live video stream.

CVE-2026-12039
Medium

A vulnerability in Docker Sandboxes (sbx) allows bypassing the HTTP/S-only egress allowlist via DNS tunneling. The embedded DNS server forwards queries to the host resolver without policy enforcement, enabling untrusted workloads to exfiltrate data encoded in DNS labels.

CVE-2026-8039
Medium

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to and including 1.0 due to insufficient input sanitization and output escaping.

CVE-2026-50643
Medium

8cc is vulnerable to an Out-of-Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation.

CVE-2026-2021
Medium

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'alwaysauto' shortcode attribute in all versions up to and including 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes.

CVE-2026-9815
Medium

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server.

CVE-2026-55745
Medium

Cotonti version 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. The folder update action ('a=update') does not validate the anti-CSRF token, allowing for modification of folder metadata through a forged request.

CVE-2026-28573
Medium

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed.

CVE-2026-12137
Medium

The SysBasics Customize My Account plugin for WooCommerce is vulnerable to reflected Cross-Site Scripting via the 'tab' parameter in all versions up to and including 4.3.6 due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts, requiring the victim to be logged in with at least Shop Manager-level access.

CVE-2026-12136
Medium

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'sysbasics_user_avatar' shortcode in versions up to and including 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes.

CVE-2026-12111
Medium

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function.

CVE-2026-12098
Medium

The PowerPress Podcasting plugin by Blubrry for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'embed' Episode Meta Field. This issue exists in all versions up to and including 11.16.8 due to insufficient input sanitization and output escaping.

CVE-2026-9199
Medium

The Equalize Digital Accessibility Checker plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.42.1. The issue arises from improper verification of user permissions, allowing attackers with author-level access and above to manipulate accessibility issue records.

CVE-2026-12120
Medium

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 3.1.7 via the 'form_id' parameter. This allows unauthenticated attackers to download a full CSV export of all form submissions, including any personally identifiable information submitted by users.

CVE-2026-12093
Medium

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action, allowing unauthenticated attackers to deactivate member accounts.

PreviousPage 94 of 544Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS