CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The Fluent Forms WordPress plugin before version 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage. This allows a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration where an administrator has created at least one Manager restricted to specific forms.
The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to and including 3.11.4. This is due to insufficient output escaping of the custom field key ($key) in the the_meta() function, while the field value is properly sanitized. Authenticated attackers with author-level access or above can inject arbitrary web scripts that execute when a user views an injected page.
The yootheme WordPress theme before version 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup. This allows users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user viewing the affected post.
The GeoWebPlayer (Web Plugin/WS Player) addon for GeoVision software contains a buffer overflow vulnerability in the handler for the `connectionInfo` command. An attacker on localhost can send crafted JSON data that is copied into fixed-size buffers without length checks, causing overflow.
The GeoWebPlayer (Web Plugin/WS Player) addon for GeoVision software (GV-VMS, GV-Cloud) contains a buffer overflow vulnerability in the function handling the `connectionInfo` command. An attacker from localhost can send crafted JSON data that is copied into fixed-size buffers without length checking, causing overflow.
A buffer overflow vulnerability in GeoWebPlayer (Web Plugin) allows an attacker from localhost to execute code by sending a crafted WebSocket request with an overly long 'password' field. The handle_connection_info function copies data into fixed-size buffers without length checks, causing overflow.
The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains a buffer overflow vulnerability in the handle_connection_info function. An attacker on localhost can send a crafted websocket request with a username field that copies data into a fixed-size buffer without length checking.
The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains a buffer overflow vulnerability in the handle_connection_info function. An attacker from localhost can send a crafted JSON request with a password field that is copied into a fixed-size buffer without length checking, causing overflow.
The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software contains a buffer overflow vulnerability in the handle_connection_info function. An attacker from localhost can send a crafted JSON request that overflows a buffer in the username field due to manual byte-by-byte copying without length checks.
A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access due to improper index validation in WebSocket commands. An attacker from localhost can exploit this to perform unauthorized operations.
The GeoWebPlayer addon (also known as Web Plugin or WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains an out-of-bounds read vulnerability in the handling of the 'pause' command. This could lead to unexpected behavior or potential security compromise.
A vulnerability in GeoWebPlayer (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) stems from missing validation of the `index` value in commands received from localhost. This allows out-of-bounds array access, potentially leading to uncontrolled behavior.
A vulnerability in GeoWebPlayer (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) stems from missing validation of the 'index' value in the 'disconnect' command of the WebSocket server. This allows out-of-bounds array access, potentially leading to unexpected behavior or control flow hijacking.
The GeoWebPlayer addon (Web Plugin/WS Player) for GeoVision software (GV-VMS, GV-Cloud) contains an out-of-bounds read vulnerability in the `saveVideo` command. The index from the WebSocket message is not validated, allowing access to critical sections and function pointers beyond array bounds, potentially leading to arbitrary code execution.
A vulnerability in GeoWebPlayer (Web Plugin/WS Player) allows out-of-bounds array access via improper validation of the 'index' value in the 'snapshot' command. An attacker from localhost can exploit this to perform unauthorized operations.
The GeoWebPlayer (Web Plugin/WS Player) addon for GeoVision software (GV-VMS, GV-Cloud) contains an out-of-bounds array access vulnerability in the 2wayAudio command. The WebSocket server accepts commands from localhost, and the 'index' value is not validated, allowing access to memory beyond the intended range.
GeoWebPlayer (also known as Web Plugin or WS Player) is an addon for GeoVision software (GV-VMS, GV-Cloud) that creates a WebSocket server. Many commands accept an `index` parameter that is not validated for range, allowing out-of-bounds array access.
A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access via the setPIP command, where the 'index' value is not validated for proper range. This can lead to uncontrolled memory read or write.
A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access via the setStream command. Missing index validation lets an attacker from localhost perform operations on unintended memory areas.
A vulnerability in GeoWebPlayer (Web Plugin) allows out-of-bounds array access via an uncontrolled 'index' parameter in the connectInfo command. Lack of index range validation enables an attacker from localhost to trigger unintended actions.

