CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A weakness has been identified in svaarala duktape up to version 2.99.99, affecting some unknown processing of the file duk_api_bytecode.c. Manipulating the argument count_instr can lead to memory corruption.
A vulnerability was found in hcengineering Huly Platform up to version 0.7.0. It affects the function getAccountInfo in the file server/account/src/operations.ts of the User Information Handler component, leading to improper authorization.
A vulnerability has been found in hcengineering Huly Platform up to version 0.7.0. The issue affects the function getMailboxSecret in the file server/account/src/operations.ts of the RPC Interface component, leading to improper access controls.
A vulnerability was detected in the universal-tool-calling-protocol python-utcp library version 1.1.0, affecting an unknown function of the utcp-gql/utcp-websocket component. Manipulating this function leads to server-side request forgery.
A vulnerability has been detected in RubyLouvre avalon up to version 2.2.10, affecting an unknown function in the file src/filters/index.js of the Template Filter Handler component. This manipulation leads to improperly controlled modification of object prototype attributes.
A weakness has been identified in jsonata-js jsonata up to version 2.2.0, concerning the createFrame function in the src/jsonata.js file. This manipulation leads to improperly controlled modification of object prototype attributes.
A security flaw has been discovered in the HTTP REST API component of medkey-org medkey (up to fc09b7ba9441ff590b72d428d5380834216b09ed). The function actionGetPatientById in PatientController.php is affected, where manipulation of the ID argument leads to improper control of resource identifiers, enabling remote attacks. The exploit has been publicly released and may be used in attacks.
A vulnerability was identified in Grit42 Grit up to version 0.11.0, affecting the function Grit::Assays::DataTableEntity in the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to SQL injection.
A vulnerability was found in HKUDS AI-Trader affecting an unknown part of the file /api/research/agents.csv of the Research Export component. Manipulation of this file results in information disclosure, and remote exploitation is possible.
A flaw has been found in IObit Malware Fighter up to version 13.2.0 in an unknown functionality of the DLL Handler component, causing permission issues. The attack requires local access.
A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android, affecting unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme.
A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android, affecting an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in the handler for custom URL scheme.
A vulnerability was detected in Grit42 Grit up to version 0.11.0, affecting some unknown functionality in the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the GritEntityController component. Manipulating this functionality leads to SQL injection.
Linux-PAM through version 1.7.2 contains a vulnerability in the pam_userdb module that allows a local or network-adjacent attacker to recover plaintext passwords by measuring response timing differences during the authentication process. The issue arises from plaintext password comparisons that leak password length and individual prefix bytes.
The Iptanus File Upload WordPress plugin before version 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a TOCTOU race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.
In OpenStack Ironic before version 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials.
A vulnerability has been found in the CET Automated Grading System with AI Predictive Analytics 1.0. Manipulation of the 'action' argument in the /index.php file leads to cross-site scripting (XSS) attacks.
A vulnerability was detected in CodeAstro Student Attendance Management System 1.0, allowing SQL injection through manipulation of the admissionNumber argument in the /attendance-php/Admin/createStudents.php file.
The Meow Gallery plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to and including 5.4.4. This allows authenticated attackers with Author-level access and above to arbitrarily create or overwrite existing gallery shortcode records.
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'tag' parameter in all versions up to and including 2.5.2 due to insufficient input sanitization and output escaping.

