CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-54805
High

Falang multilanguage versions up to 1.4.2 contain a vulnerability that allows subscribers to escalate privileges.

CVE-2026-54804
High

Versions of Melhor Envio up to 2.16.3 contain a vulnerability in the subscriber authentication mechanism, which may lead to unauthorized access.

CVE-2026-54802
High

Versions of SMS Alert Order Notifications up to 3.9.3 contain a vulnerability in authentication that allows unauthorized access.

CVE-2026-54195
High

Versions of JetFormBuilder <= 3.6.0.1 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-54192
High

Popup box versions up to 6.2.9 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious scripts.

CVE-2026-54189
High

Versions of JetEngine up to 3.8.10 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-54188
High

Versions of JetEngine up to 3.8.10 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-54185
High

Subscriber SQL Injection vulnerability in Cornerstone versions below 7.8.8 allows attackers to execute malicious SQL queries.

CVE-2026-54184
High

In Clean Login versions <= 1.15, there is a vulnerability to unauthenticated Insecure Direct Object References (IDOR). This allows attackers to access resources they should not have access to.

CVE-2026-53876
HighEPSS 75%

The RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with root privileges by a user who logs in to the web console as an administrator.

CVE-2026-52698
High

Versions of PushEngage up to 4.2.3 have a vulnerability that allows the exposure of subscriber sensitive data. This issue affects web push notifications and eCommerce automation.

CVE-2026-52696
High

In JetBlog versions up to 2.4.8, there is a vulnerability allowing unauthorized access to sensitive data.

CVE-2026-49778
High

Versions of WPFunnels Pro up to 2.9.4 are vulnerable to unauthenticated Cross Site Scripting (XSS). An attacker can exploit this vulnerability to inject malicious JavaScript code.

CVE-2026-49113
High

In Cornerstone versions below 7.8.8, there is a vulnerability allowing arbitrary code execution by a subscriber.

CVE-2026-49081
High

Versions of Stripe up to 1.3.12 have a vulnerability in unauthenticated access that allows unauthorized access to user registration functions.

CVE-2026-49074
High

There is an unauthenticated Cross Site Scripting (XSS) vulnerability in JetEngine versions <= 3.8.9.1. An attacker can exploit this flaw to inject malicious scripts in the user's context.

CVE-2026-49073
High

CVE-2026-49073 describes an improper neutralization of special elements used in SQL commands, leading to the possibility of Blind SQL Injection attacks in the wpWax Directorist Booking plugin.

CVE-2026-49057
High

JobSearch versions up to 3.2.7 contain a vulnerability in access control that allows unauthorized access to resources.

CVE-2026-48967
High

There is a SQL Injection vulnerability in Geo Mashup versions <= 1.13.19 that may allow unauthorized access to the database.

CVE-2026-48929
High

Rocket.Chat versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 are vulnerable to unauthenticated file deletion. The deleteFileMessage method allows for the permanent deletion of any uploaded file by ID without requiring authentication.

PreviousPage 98 of 3342Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS