CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Falang multilanguage versions up to 1.4.2 contain a vulnerability that allows subscribers to escalate privileges.
Versions of Melhor Envio up to 2.16.3 contain a vulnerability in the subscriber authentication mechanism, which may lead to unauthorized access.
Versions of SMS Alert Order Notifications up to 3.9.3 contain a vulnerability in authentication that allows unauthorized access.
Versions of JetFormBuilder <= 3.6.0.1 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
Popup box versions up to 6.2.9 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.
Versions of JetEngine up to 3.8.10 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
Versions of JetEngine up to 3.8.10 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
Subscriber SQL Injection vulnerability in Cornerstone versions below 7.8.8 allows attackers to execute malicious SQL queries.
In Clean Login versions <= 1.15, there is a vulnerability to unauthenticated Insecure Direct Object References (IDOR). This allows attackers to access resources they should not have access to.
The RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with root privileges by a user who logs in to the web console as an administrator.
Versions of PushEngage up to 4.2.3 have a vulnerability that allows the exposure of subscriber sensitive data. This issue affects web push notifications and eCommerce automation.
In JetBlog versions up to 2.4.8, there is a vulnerability allowing unauthorized access to sensitive data.
Versions of WPFunnels Pro up to 2.9.4 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.
In Cornerstone versions below 7.8.8, there is a vulnerability allowing arbitrary code execution by a subscriber.
Versions of Stripe up to 1.3.12 have a vulnerability in unauthenticated access that allows unauthorized access to user registration functions.
There is an unauthenticated Cross Site Scripting (XSS) vulnerability in JetEngine versions <= 3.8.9.1. An attacker can exploit this flaw to inject malicious scripts in the user's context.
CVE-2026-49073 describes an improper neutralization of special elements used in SQL commands, leading to the possibility of Blind SQL Injection attacks in the wpWax Directorist Booking plugin.
JobSearch versions up to 3.2.7 contain a vulnerability in access control that allows unauthorized access to resources.
There is a SQL Injection vulnerability in Geo Mashup versions <= 1.13.19 that may allow unauthorized access to the database.
Rocket.Chat versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 are vulnerable to unauthenticated file deletion. The deleteFileMessage method allows for the permanent deletion of any uploaded file by ID without requiring authentication.

