CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-34025
Medium

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.

CVE-2026-44188
Medium

A flaw was found in Ansible Lightspeed related to insufficient session expiration, allowing a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth access token before a user logs out, they can continue to authenticate and access sensitive data.

CVE-2026-9278
Medium

The Form Builder CP WordPress plugin before version 1.2.47 does not properly sanitize a form configuration value before storing it, allowing Stored Cross-Site Scripting attacks by authenticated users with Editor-level access and above.

CVE-2026-8386
Medium

The WP Go Maps plugin for WordPress before version 10.0.10 does not perform approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to access marker records that have not yet been approved by an administrator.

CVE-2026-8385
Medium

The WP Go Maps plugin for WordPress before version 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to access marker records that the site owner has not approved for public display.

CVE-2026-12223
MediumEPSS 64%

A command injection vulnerability was found in Yealink SIP-T46U version 108.86.0.118 in the mod_webd.TFTPUploadIperf function of the /api/inner/tftpuploadiperf file. The attack requires local network access and can be executed by manipulating the ip/port arguments. The vendor has provided a fix in version 108.87.0.23, which is not yet publicly available.

CVE-2026-12219
MediumEPSS 60%

A command injection vulnerability has been found in Yealink SIP-T46U firmware version 108.86.0.118 in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start file. The attack can be initiated remotely by manipulating the Time argument, and the exploit has been published.

CVE-2026-12216
Medium

A weakness has been identified in svaarala duktape up to version 2.99.99, affecting some unknown processing of the file duk_api_bytecode.c. Manipulating the argument count_instr can lead to memory corruption.

CVE-2026-12213
Medium

A vulnerability was found in hcengineering Huly Platform up to version 0.7.0. It affects the function getAccountInfo in the file server/account/src/operations.ts of the User Information Handler component, leading to improper authorization.

CVE-2026-12212
Medium

A vulnerability has been found in hcengineering Huly Platform up to version 0.7.0. The issue affects the function getMailboxSecret in the file server/account/src/operations.ts of the RPC Interface component, leading to improper access controls.

CVE-2026-12210
Medium

A vulnerability was detected in the universal-tool-calling-protocol python-utcp library version 1.1.0, affecting an unknown function of the utcp-gql/utcp-websocket component. Manipulating this function leads to server-side request forgery.

CVE-2026-12209
Medium

A vulnerability has been detected in RubyLouvre avalon up to version 2.2.10, affecting an unknown function in the file src/filters/index.js of the Template Filter Handler component. This manipulation leads to improperly controlled modification of object prototype attributes.

CVE-2026-12208
Medium

A weakness has been identified in jsonata-js jsonata up to version 2.2.0, concerning the createFrame function in the src/jsonata.js file. This manipulation leads to improperly controlled modification of object prototype attributes.

CVE-2026-12207
Medium

A security flaw has been discovered in the HTTP REST API component of medkey-org medkey (up to fc09b7ba9441ff590b72d428d5380834216b09ed). The function actionGetPatientById in PatientController.php is affected, where manipulation of the ID argument leads to improper control of resource identifiers, enabling remote attacks. The exploit has been publicly released and may be used in attacks.

CVE-2026-12206
Medium

A vulnerability was identified in Grit42 Grit up to version 0.11.0, affecting the function Grit::Assays::DataTableEntity in the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to SQL injection.

CVE-2026-12203
Medium

A vulnerability was found in HKUDS AI-Trader affecting an unknown part of the file /api/research/agents.csv of the Research Export component. Manipulation of this file results in information disclosure, and remote exploitation is possible.

CVE-2026-12201
Medium

A flaw has been found in IObit Malware Fighter up to version 13.2.0 in an unknown functionality of the DLL Handler component, causing permission issues. The attack requires local access.

CVE-2026-12190
Medium

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android, affecting unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme.

CVE-2026-12189
Medium

A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android, affecting an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in the handler for custom URL scheme.

CVE-2026-12188
Medium

A vulnerability was detected in Grit42 Grit up to version 0.11.0, affecting some unknown functionality in the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the GritEntityController component. Manipulating this functionality leads to SQL injection.

PreviousPage 128 of 563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS