CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint. This allows authenticated users to modify server-controlled properties, leading to a breach of tenant isolation in multi-workspace environments.
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration.
A vulnerability was identified in designcomputer mysql-mcp-server up to version 0.2.2 in the read_resource function of the src/mysql_mcp_server/server.py file, leading to SQL injection. Remote exploitation is possible, and the exploit has been publicly disclosed.
In the Linux kernel, a vulnerability in the DRM vkms driver was fixed by replacing the custom vblank timer with the DRM implementation. The flaw could cause incorrect vertical synchronization behavior.
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, allowing STRIPTLS and man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
The Origin Validation Error vulnerability in the gun_http2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE headers. The :authority pseudo-header is stored verbatim without validation, violating protocol standards.
QloApps through version 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files.
A vulnerability has been detected in the Mohammed-eid35 bank management system affecting an unknown part of the TransactionController.java file. This manipulation leads to improper authorization, allowing for remote attacks.
A security flaw has been discovered in SourceCodester Inventory System 1.0. The issue affects an unknown functionality of the file /Product_Inventory/api/users_handler.php, where manipulation of the argument ROLE results in improper authorization.
A vulnerability was identified in SourceCodester Inventory System 1.0. The issue affects an unknown function of the file /users.php of the User Management Page component, where manipulation of the argument fullname/username leads to cross-site scripting.
A vulnerability was found in UTT HiPER 2610G up to version 3.0.0-171107, affecting the strcpy function in the file /goform/formNatStaticMap. Manipulating the argument NatBinds results in a buffer overflow.
In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the active check output of service discovery. Administrators can inject malicious HTML or JavaScript that executes in the browsers of admins or users with host read permissions.
In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is improper neutralization of HTML-encoded characters in the URL validation function. This allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, leading to cross-site scripting when another user interacts with the crafted link.
In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the global settings change log. Administrators can store malicious HTML or JavaScript that executes in other users' browsers when they view the Activate Changes page or Audit log.
Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 allows the message-fetching endpoints to return the dashboard creator's messages instead of the viewer's. An attacker who knows a valid public dashboard share token can read the issuer's personal messages by sending requests to the underlying endpoint.
Stored cross-site scripting in the URL dashboard widget in Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.
A vulnerability has been found in the Barangay Resident Profiling and Information Management System, affecting an unknown function in the password_reset.php file. Manipulating the new_password argument with the input 'password123' leads to the use of a hard-coded password.
A flaw has been found in itsourcecode Hospital Management System 1.0 that allows SQL injection through manipulation of the admissiontme argument in the /addpatient.php file. The attack can be initiated remotely.
A vulnerability was detected in itsourcecode Hospital Management System 1.0, affecting an unknown function of the file /adminaccount.php. Manipulation of the argument Date results in SQL injection.
A vulnerability has been detected in itsourcecode Hospital Management System version 1.0, affecting unknown processing of the file /billing.php. Manipulation of the argument patientid leads to cross site scripting.

