CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
An out of bounds read in Skia in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
When the ALLOW_INSECURE_RAW_TEXT option is enabled, whitespace-variant closing tags (e.g., </style >) are not recognized by the sanitizer but accepted by browsers as valid end tags. This allows bypassing the XSS prevention mechanism in typo3/html-sanitizer before version 2.3.2.
A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006, affecting unknown processing of the file /etc/boa.conf in the web interface. Such manipulation leads to least privilege violation.
A vulnerability was detected in the imvks786 student management system that allows for cross-site scripting (XSS) attacks through argument manipulation in the /add.php file. The attack can be executed remotely, and the exploit is now publicly available.
The CRLF Injection vulnerability in the wojtekmach Req library allows multipart parameter smuggling via maliciously modified part metadata. The issue arises from improper neutralization of CRLF sequences in headers built from user-supplied data.
phpMyFAQ is an open source FAQ web application. In versions prior to 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm vulnerable to collision attacks.
A weakness has been identified in SourceCodester Inventory System 1.0. The issue affects some unknown functionality of the file header.php, leading to cross-site scripting (XSS) attacks.
A weakness has been identified in Bolt CMS up to version 3.7.5, affecting unknown code in the file src/Storage/Field/Type/TextType.php. Manipulating the argument style can lead to HTML injection.
A weakness has been identified in JeecgBoot up to version 3.9.2, concerning the HttpServletResponse.sendRedirect function in the ThirdLoginController. Manipulation of the state argument leads to open redirect, which can be initiated remotely.
A vulnerability was identified in CodeAstro Human Resource Management System 1.0, affecting an unknown function of the file /notice/All_notice in the Notice Board Management component. Manipulating the Notice Title argument with malicious SVG code leads to cross-site scripting (XSS) attacks.
A vulnerability was identified in the PostgresStore.LookupByContentHash function in versions up to 0.35.0 of the Postgres Embedding Cache component. Manipulating the content_hash argument can lead to the use of weak hash.
A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb, affecting the function matchstar of the file re.c of the Pattern Handler component. This vulnerability leads to inefficient regular expression complexity.
A vulnerability was detected in SourceCodester Hospitals Patient Records Management System 1.0, allowing cross-site scripting (XSS) attacks through manipulation of the 'room' argument in the /admin/?page=room_types file.
A security flaw has been discovered in songquanpeng one-api up to version 0.6.11-preview.7, affecting the Redeem function in the file model/redemption.go. Manipulation of this function results in business logic errors.
A vulnerability was identified in JeecgBoot up to version 3.9.2, concerning the queryPageList function in the SysUserController.java file. Manipulation of the salt argument leads to information disclosure.
A vulnerability has been detected in SecureAge CatchPulse up to version 10.9.3, affecting an unknown function in the library saappctl.sys of the IOCTL Handler component. Manipulation of this function leads to information disclosure.
A weakness has been identified in FluentCMS 0.0.5, affecting an unknown function of the file /admin/blocks of the Blocks Plugin component. This manipulation leads to cross-site scripting attacks.
The WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function. This affects all versions up to and including 0.9.128.
A cross site scripting (XSS) vulnerability has been identified in SourceCodester Ship Ferry Ticket Reservation System version 1.0 in the user management function. Manipulating the 'Username' argument allows for remote exploitation.
7-Zip versions 9.11 through 26.00 contain a heap out-of-bounds read vulnerability in the UDF file identifier descriptor parser. The issue occurs when processing UDF images, potentially leading to information disclosure and application crashes.

