CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.
A command injection vulnerability was discovered in TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 via the component /userRpm/WlanNetworkRpm.
Type confusion in V8 in Google Chrome prior to version 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
A SQL injection vulnerability has been found in the MOVEit Transfer web application before version 2021.0.6, which could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
In RocketMQ versions 5.1.0 and below, there is a risk of remote command execution under certain conditions. Several components of RocketMQ, including NameServer, Broker, and Controller, are exposed on the extranet and lack permission verification.
CVE-2023-33010 describes a buffer overflow vulnerability in the ID processing function in the firmware of Zyxel ATP series, USG FLEX, USG20(W)-VPN, VPN series, and ZyWALL/USG. This could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even remote code execution on an affected device.
CVE-2023-33009 describes a buffer overflow vulnerability in the notification function in the firmware of Zyxel ATP series, USG FLEX series, USG20(W)-VPN, VPN series, and ZyWALL/USG series. This could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even remote code execution on an affected device.
A remote command execution (RCE) vulnerability was discovered in the D-Link DIR-820L router version 1.05B03 via an HTTP POST request to the get set ccp function.
Wykryto podatność w funkcji cgroup_release_agent_write jądra Linux w pliku kernel/cgroup/cgroup-v1.c. W określonych okolicznościach, flaw ta pozwala na wykorzystanie funkcji release_agent cgroups v1 do eskalacji uprawnień oraz nieoczekiwanego obejścia izolacji przestrzeni nazw.
A vulnerability in Sitecore XP from version 7.5 to 8.2 Update-7 allows remote code execution through insecure deserialization. No authentication or special configuration is required to exploit this flaw.
W Arm Trusted Firmware M do wersji 1.2, świat NS może wywołać zatrzymanie systemu, nadpisanie danych zabezpieczonych lub wydrukowanie danych zabezpieczonych podczas wywoływania funkcji zabezpieczonych w trybie obsługi NSPE.
Nagios XI version xi-5.7.5 is affected by OS command injection due to improper sanitization of authenticated user input in the file cloud-vm.inc.php.
A vulnerability in Nagios XI version xi-5.7.5 allows OS command injection. The issue exists in the switch.inc.php file due to improper sanitization of authenticated user input.
Nagios XI version xi-5.7.5 is affected by OS command injection in the file windowswmi.inc.php due to improper sanitization of authenticated user input, allowing arbitrary command execution.
Versions of Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, and 13.0.197.13 and below have incorrect access control.
Vulnerability in Spring Data Commons (versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions) due to improper neutralization of special elements in the property binder. An unauthenticated remote attacker can supply specially crafted request parameters against Spring Data REST backed HTTP resources or use Spring Data's projection-based request payload binding, leading to remote code execution.

