CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-10024
Medium

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via 'btnrel' Shortcode Attribute in all versions up to and including 1.0.0 due to insufficient input sanitization and output escaping.

CVE-2026-5714
Medium

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'location_dir' parameter in all versions up to and including 4.1.8 due to insufficient input sanitization and output escaping. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-11621
Medium

A weakness has been identified in Dcat-Admin up to version 2.2.3-beta, affecting the function editorMDUpload in the file /admin/dcat-api/editor-md/upload on the User Setting Page. Manipulation of the argument editormd-image-file allows unrestricted file uploads.

CVE-2026-11620
Medium

A security flaw has been discovered in TOTOLINK EX200 version 4.0.3c.7646 in the file /etc/vsftpd.conf of the vsftpd component. Manipulation of this file results in least privilege violation.

CVE-2026-11619
Medium

A vulnerability was identified in Dolibarr ERP CRM up to version 23.0.2, affecting an unknown function in the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the Legacy Filemanager component. The manipulation leads to improper authorization, allowing for remote attack initiation.

CVE-2026-10862
Medium

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Accordion body field in all versions up to and including 2.3.23 due to insufficient input sanitization and output escaping.

CVE-2026-44757
Medium

SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user’s browser within the context of the application.

CVE-2026-44755
Medium

The SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.

CVE-2026-44754
Medium

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications, which could lead to unintended disclosure of data.

CVE-2026-44750
Medium

SAP MDG (Review Match Groups Application) does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges.

CVE-2026-44746
Medium

There is a reflected XSS vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet) that allows an unauthenticated attacker to craft a malicious link. Clicking this link by a victim may lead to the execution of malicious script in the victim's browser.

CVE-2026-44744
Medium

SAP S/4HANA (On-Premise) contains an SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries. This flaw exposes sensitive information to which they should not otherwise have access.

CVE-2026-24315
Medium

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain. When opened by the user, this could compromise accounts by stealing user credentials.

CVE-2026-11701
Medium

Inappropriate implementation in Guest View in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page.

CVE-2026-11696
Medium

In Google Chrome on Windows prior to version 149.0.7827.103, an uninitialized use in the video module allowed a remote attacker who compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-11695
Medium

Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2026-11685
Medium

Inappropriate implementation in MediaCapture in Google Chrome on Mac prior to version 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2026-11678
Medium

Integer overflow in libyuv in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker who compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-11669
Medium

An out of bounds read in Google Chrome on ChromeOS prior to version 149.0.7827.103 allowed a remote attacker who compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-11668
Medium

In Google Chrome on Linux and ChromeOS prior to version 149.0.7827.103, there is an uninitialized use issue in codecs that allows a remote attacker to leak cross-origin data via a crafted video file.

PreviousPage 151 of 553Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS