CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-42862
Medium

In Flowise, prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint. This allows authenticated users to modify server-controlled properties, leading to a breach of tenant isolation in multi-workspace environments.

CVE-2026-29170
Medium

A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration.

CVE-2026-11529
Medium

A vulnerability was identified in designcomputer mysql-mcp-server up to version 0.2.2 in the read_resource function of the src/mysql_mcp_server/server.py file, leading to SQL injection. Remote exploitation is possible, and the exploit has been publicly disclosed.

CVE-2025-71315
Medium

In the Linux kernel, a vulnerability in the DRM vkms driver was fixed by replacing the custom vblank timer with the DRM implementation. The flaw could cause incorrect vertical synchronization behavior.

CVE-2020-37248
Medium

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, allowing STRIPTLS and man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

CVE-2026-43972
Medium

The Origin Validation Error vulnerability in the gun_http2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE headers. The :authority pseudo-header is stored verbatim without validation, violating protocol standards.

CVE-2026-25558
Medium

QloApps through version 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files.

CVE-2026-11521
Medium

A vulnerability has been detected in the Mohammed-eid35 bank management system affecting an unknown part of the TransactionController.java file. This manipulation leads to improper authorization, allowing for remote attacks.

CVE-2026-11519
Medium

A security flaw has been discovered in SourceCodester Inventory System 1.0. The issue affects an unknown functionality of the file /Product_Inventory/api/users_handler.php, where manipulation of the argument ROLE results in improper authorization.

CVE-2026-11518
Medium

A vulnerability was identified in SourceCodester Inventory System 1.0. The issue affects an unknown function of the file /users.php of the User Management Page component, where manipulation of the argument fullname/username leads to cross-site scripting.

CVE-2026-11516
Medium

A vulnerability was found in UTT HiPER 2610G up to version 3.0.0-171107, affecting the strcpy function in the file /goform/formNatStaticMap. Manipulating the argument NatBinds results in a buffer overflow.

CVE-2026-9549
Medium

In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the active check output of service discovery. Administrators can inject malicious HTML or JavaScript that executes in the browsers of admins or users with host read permissions.

CVE-2026-8833
Medium

In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is improper neutralization of HTML-encoded characters in the URL validation function. This allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, leading to cross-site scripting when another user interacts with the crafted link.

CVE-2026-8078
Medium

In Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions, there is a stored XSS vulnerability in the global settings change log. Administrators can store malicious HTML or JavaScript that executes in other users' browsers when they view the Activate Changes page or Audit log.

CVE-2026-7765
Medium

Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 allows the message-fetching endpoints to return the dashboard creator's messages instead of the viewer's. An attacker who knows a valid public dashboard share token can read the issuer's personal messages by sending requests to the underlying endpoint.

CVE-2026-7186
Medium

Stored cross-site scripting in the URL dashboard widget in Checkmk versions <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.

CVE-2026-11515
Medium

A vulnerability has been found in the Barangay Resident Profiling and Information Management System, affecting an unknown function in the password_reset.php file. Manipulating the new_password argument with the input 'password123' leads to the use of a hard-coded password.

CVE-2026-11514
Medium

A flaw has been found in itsourcecode Hospital Management System 1.0 that allows SQL injection through manipulation of the admissiontme argument in the /addpatient.php file. The attack can be initiated remotely.

CVE-2026-11513
Medium

A vulnerability was detected in itsourcecode Hospital Management System 1.0, affecting an unknown function of the file /adminaccount.php. Manipulation of the argument Date results in SQL injection.

CVE-2026-11512
Medium

A vulnerability has been detected in itsourcecode Hospital Management System version 1.0, affecting unknown processing of the file /billing.php. Manipulation of the argument patientid leads to cross site scripting.

PreviousPage 161 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS