CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-5051
Medium

In HashiCorp Vault and Vault Enterprise prior to version 2.0.1, the audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. This vulnerability is fixed in versions 2.0.1, 1.21.6, 1.20.11, and 1.19.17.

CVE-2026-58521
Medium

A SQL injection vulnerability has been discovered in the Cargo extension for MediaWiki due to improper neutralization of special elements used in SQL commands. This flaw allows an attacker to inject malicious SQL code, potentially leading to unauthorized database access.

CVE-2026-58520
Medium

An open redirect vulnerability in the UrlShortener extension for MediaWiki allows Cross-Site Flashing attacks. Affected versions are before 1.43.9, 1.44.6, and 1.45.4.

CVE-2026-57737
Medium

The Shortcodes and extra features plugin for the Phlox theme contains a DOM-Based XSS vulnerability due to improper input neutralization during web page generation.

CVE-2026-57722
Medium

The Enable Media Replace WordPress plugin contains a stored Cross-Site Scripting (XSS) vulnerability due to improper input neutralization during page generation. This affects versions from n/a through 4.2.1.

CVE-2026-51946
Medium

SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the __sort_type URL parameter on all /admin/info/{table} endpoints.

CVE-2026-49090
Medium

CVE-2026-49090 in Elasticsearch allows a denial of service (DoS) via uncontrolled resource consumption. An authenticated user can submit a specially crafted bulk request causing sustained high CPU usage, rendering the affected node unable to process requests.

CVE-2026-57721
Medium

The ApplyOnline WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects versions from n/a through 2.6.7.6.

CVE-2026-57720
Medium

The ThumbPress WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects all versions from n/a through 6.3.2.

CVE-2026-56152
Medium

CVE-2026-56152 in Elastic Defend is caused by incorrect authorization (CWE-863). It allows a low-privileged authenticated user to access response action data they are not authorized to view, leading to unauthorized information disclosure.

CVE-2026-56151
Medium

CVE-2026-56151 in Kibana is an improper input validation vulnerability (CWE-20) that allows an authenticated user to submit a specially crafted Fleet policy input, causing a denial of service (DoS) via input data manipulation (CAPEC-153). This attack renders Fleet agent, server, and policy management functionality unavailable.

CVE-2026-56150
Medium

A CWE-770 vulnerability in Fleet Server allows an attacker to send a specially crafted request to an upload endpoint, causing excessive memory consumption and potentially leading to a denial of service (DoS).

CVE-2026-56149
Medium

CWE-770 vulnerability in Elasticsearch allows a denial of service via excessive memory allocation. A privileged user can submit a crafted machine learning request, causing resource exhaustion and node unavailability.

CVE-2026-56148
Medium

CVE-2026-56148 in Elasticsearch involves uncontrolled recursion leading to denial of service. An authenticated user can submit a specially crafted query causing excessive resource consumption during processing, potentially rendering the affected node unavailable.

CVE-2026-49088
Medium

CVE-2026-49088 in Kibana allows insertion of sensitive information into log files. When optional APM instrumentation is enabled, sensitive request header values may be recorded in application logs.

CVE-2026-49087
Medium

CWE-770 vulnerability in Kibana allows a denial of service via excessive resource allocation. An authenticated attacker can send a crafted bulk deletion request, exhausting resources and making Kibana unavailable.

CVE-2026-34098
Medium

The vulnerability in the Guardian language-system fails to sanitize the 'id' GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.

CVE-2026-34097
Medium

The vulnerability in the Guardian language-system is due to the failure to sanitize the 'id' GET parameter before inserting it into HTML form action attributes in text_file.php. An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.

CVE-2026-34096
Medium

The XSS vulnerability in the Guardian language-system fails to sanitize the 'name' GET parameter before outputting it into an HTML input value attribute in designer.php (line 57). An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session.

CVE-2026-27409
Medium

The Webba Booking WordPress plugin contains a missing authorization vulnerability that allows exploiting incorrectly configured access control security levels. This issue affects versions from n/a through 6.4.13.

PreviousPage 11 of 485Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS