CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.07)
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. An attacker with valid branch user credentials can manipulate the X-Forwarded-For header to spoof the expected branch IP address and obtain a valid authenticated session from an unauthorized network location.
A flaw was found in Ansible Lightspeed related to insufficient session expiration, allowing a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth access token before a user logs out, they can continue to authenticate and access sensitive data.
The Form Builder CP WordPress plugin before version 1.2.47 does not properly sanitize a form configuration value before storing it, allowing Stored Cross-Site Scripting attacks by authenticated users with Editor-level access and above.
The WP Go Maps plugin for WordPress before version 10.0.10 does not perform approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to access marker records that have not yet been approved by an administrator.
The WP Go Maps plugin for WordPress before version 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to access marker records that the site owner has not approved for public display.
A command injection vulnerability was found in Yealink SIP-T46U version 108.86.0.118 in the mod_webd.TFTPUploadIperf function of the /api/inner/tftpuploadiperf file. The attack requires local network access and can be executed by manipulating the ip/port arguments. The vendor has provided a fix in version 108.87.0.23, which is not yet publicly available.
A command injection vulnerability has been found in Yealink SIP-T46U firmware version 108.86.0.118 in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start file. The attack can be initiated remotely by manipulating the Time argument, and the exploit has been published.
A weakness has been identified in svaarala duktape up to version 2.99.99, affecting some unknown processing of the file duk_api_bytecode.c. Manipulating the argument count_instr can lead to memory corruption.
A vulnerability was found in hcengineering Huly Platform up to version 0.7.0. It affects the function getAccountInfo in the file server/account/src/operations.ts of the User Information Handler component, leading to improper authorization.
A vulnerability has been found in hcengineering Huly Platform up to version 0.7.0. The issue affects the function getMailboxSecret in the file server/account/src/operations.ts of the RPC Interface component, leading to improper access controls.
A vulnerability was detected in the universal-tool-calling-protocol python-utcp library version 1.1.0, affecting an unknown function of the utcp-gql/utcp-websocket component. Manipulating this function leads to server-side request forgery.
A vulnerability has been detected in RubyLouvre avalon up to version 2.2.10, affecting an unknown function in the file src/filters/index.js of the Template Filter Handler component. This manipulation leads to improperly controlled modification of object prototype attributes.
A weakness has been identified in jsonata-js jsonata up to version 2.2.0, concerning the createFrame function in the src/jsonata.js file. This manipulation leads to improperly controlled modification of object prototype attributes.
A security flaw has been discovered in the HTTP REST API component of medkey-org medkey (up to fc09b7ba9441ff590b72d428d5380834216b09ed). The function actionGetPatientById in PatientController.php is affected, where manipulation of the ID argument leads to improper control of resource identifiers, enabling remote attacks. The exploit has been publicly released and may be used in attacks.
A vulnerability was identified in Grit42 Grit up to version 0.11.0, affecting the function Grit::Assays::DataTableEntity in the file modules/assays/backend/app/models/grit/assays/data_table_entity.rb. The manipulation leads to SQL injection.
A vulnerability was found in HKUDS AI-Trader affecting an unknown part of the file /api/research/agents.csv of the Research Export component. Manipulation of this file results in information disclosure, and remote exploitation is possible.
A flaw has been found in IObit Malware Fighter up to version 13.2.0 in an unknown functionality of the DLL Handler component, causing permission issues. The attack requires local access.
A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android, affecting unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme.
A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android, affecting an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in the handler for custom URL scheme.
A vulnerability was detected in Grit42 Grit up to version 0.11.0, affecting some unknown functionality in the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the GritEntityController component. Manipulating this functionality leads to SQL injection.

