CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-12216
Medium

A weakness has been identified in svaarala duktape up to version 2.99.99, affecting some unknown processing of the file duk_api_bytecode.c. Manipulating the argument count_instr can lead to memory corruption.

CVE-2026-12213
Medium

A vulnerability was found in hcengineering Huly Platform up to version 0.7.0. It affects the function getAccountInfo in the file server/account/src/operations.ts of the User Information Handler component, leading to improper authorization.

CVE-2026-12212
Medium

A vulnerability has been found in hcengineering Huly Platform up to version 0.7.0. The issue affects the function getMailboxSecret in the file server/account/src/operations.ts of the RPC Interface component, leading to improper access controls.

CVE-2026-12210
Medium

A vulnerability was detected in the universal-tool-calling-protocol python-utcp library version 1.1.0, affecting an unknown function of the utcp-gql/utcp-websocket component. Manipulating this function leads to server-side request forgery.

CVE-2026-12209
Medium

A vulnerability has been detected in RubyLouvre avalon up to version 2.2.10, affecting an unknown function in the file src/filters/index.js of the Template Filter Handler component. This manipulation leads to improperly controlled modification of object prototype attributes.

CVE-2026-12208
Medium

A weakness has been identified in jsonata-js jsonata up to version 2.2.0, concerning the createFrame function in the src/jsonata.js file. This manipulation leads to improperly controlled modification of object prototype attributes.

CVE-2026-12207
Medium

A security flaw has been discovered in the HTTP REST API component of medkey-org medkey (up to fc09b7ba9441ff590b72d428d5380834216b09ed). The function actionGetPatientById in PatientController.php is affected, where manipulation of the ID argument leads to improper control of resource identifiers, enabling remote attacks. The exploit has been publicly released and may be used in attacks.

CVE-2026-12206
Medium

A vulnerability was identified in Grit42 Grit up to version 0.11.0, affecting the function Grit::Assays::DataTableEntity in the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to SQL injection.

CVE-2026-12203
Medium

A vulnerability was found in HKUDS AI-Trader affecting an unknown part of the file /api/research/agents.csv of the Research Export component. Manipulation of this file results in information disclosure, and remote exploitation is possible.

CVE-2026-12201
Medium

A flaw has been found in IObit Malware Fighter up to version 13.2.0 in an unknown functionality of the DLL Handler component, causing permission issues. The attack requires local access.

CVE-2026-12190
Medium

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android, affecting unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme.

CVE-2026-12189
Medium

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android, affecting an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in the handler for custom URL scheme.

CVE-2026-12188
Medium

A vulnerability was detected in Grit42 Grit up to version 0.11.0, affecting some unknown functionality in the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the GritEntityController component. Manipulating this functionality leads to SQL injection.

CVE-2026-54411
Medium

Linux-PAM through version 1.7.2 contains a vulnerability in the pam_userdb module that allows a local or network-adjacent attacker to recover plaintext passwords by measuring response timing differences during the authentication process. The issue arises from plaintext password comparisons that leak password length and individual prefix bytes.

CVE-2025-15546
Medium

The Iptanus File Upload WordPress plugin before version 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a TOCTOU race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users.

CVE-2026-54421
Medium

In OpenStack Ironic before version 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials.

CVE-2026-12176
Medium

A vulnerability has been found in the CET Automated Grading System with AI Predictive Analytics 1.0. Manipulation of the 'action' argument in the /index.php file leads to cross-site scripting (XSS) attacks.

CVE-2026-12175
Medium

A vulnerability was detected in CodeAstro Student Attendance Management System 1.0, allowing SQL injection through manipulation of the admissionNumber argument in the /attendance-php/Admin/createStudents.php file.

CVE-2026-1291
Medium

The Meow Gallery plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to and including 5.4.4. This allows authenticated attackers with Author-level access and above to arbitrarily create or overwrite existing gallery shortcode records.

CVE-2026-9629
Medium

The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'tag' parameter in all versions up to and including 2.5.2 due to insufficient input sanitization and output escaping.

PreviousPage 104 of 514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS