CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Simple Link Directory version 9.0.4 improperly processes shortcode attributes, leading to their reflection in HTML data attributes without proper escaping. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.
Simple Link Directory version 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload can break out of the string and run script for every page visitor.
The Yoast Duplicate Post plugin up to version 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
The Yoast Duplicate Post plugin up to version 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which does not verify nonce or capabilities. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.
Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.
Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check.
Russh is a Rust SSH client & server library that from version 0.34.0-beta.1 to before version 0.61.0 did not enforce SSH identification-string rules as strictly as OpenSSH. This issue allowed the server to accept malformed identification lines, potentially leading to resource exhaustion during the pre-authentication phase.
Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, leading to the use of that count without prior validation of the data.
Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the user authentication state is kept internally, which may lead to incorrect processing of authentication requests when the user or service changes.
In ImageMagick prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free.
In ImageMagick prior to versions 6.9.13-47 and 7.1.2-22, a missing check in the MNG coder allows reading more images than the list limit policy permits, resulting in excessive resource consumption.
ImageMagick prior to versions 6.9.13-47 and 7.1.2-22 has a vulnerability that allows an out of bounds over-read of 24 bytes when performing polynomial distortion with specific arguments. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
In the bit7z library prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.
In ImageMagick prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation.
ImageMagick prior to versions 6.9.13-47 and 7.1.2-22 contained an 'off by one' error in the meta encoder, which could lead to an out of bounds read of a single byte. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
In ImageMagick prior to versions 6.9.13-47 and 7.1.2-22, a missing check in the PSD decoder allowed bypassing the list-length resource policy when decoding a PSD image. Other security limits still applied.
ImageMagick prior to versions 6.9.13-47 and 7.1.2-22 had a vulnerability that allowed an out of bounds read when writing an IPTC output file. This issue has been patched in the mentioned versions.
An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win versions 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service).
A command injection vulnerability in PAN-OS® allows an authenticated administrator to bypass system restrictions and execute arbitrary commands as a root user. Exploiting this issue requires access to the PAN-OS CLI or Web UI.

