CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the recipe block's 'summary' and 'notes' attributes in all versions up to and including 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied.
A flaw was found in Quay that allows authenticated users with repository write access to upload SVG files containing JavaScript. The file is stored and served through the CDN, enabling stored cross-site scripting.
A security flaw has been discovered in CodeAstro Leave Management System 1.0, affecting an unknown part of the file /admin/add_leave.php. Manipulating the argument type_of_leave results in SQL injection.
A vulnerability was identified in CodeAstro Leave Management System 1.0. The issue affects some unknown functionality of the file /admin/search_staff_for_updation.php, where manipulation of the argument 'Name' leads to SQL injection.
A vulnerability was identified in CodeAstro Leave Management System version 1.0, affecting an unknown functionality of the file /admin/search_staff_to_assign_pc.php. Manipulation of the argument 'Name' leads to SQL injection.
A vulnerability was found in CodeAstro Leave Management System 1.0 affecting an unknown function of the file /admin/delete_leave_type.php. Manipulation of the argument leave_type results in SQL injection.
A vulnerability has been found in CodeAstro Leave Management System 1.0, affecting an unknown function of the file /admin/search_staff_for_deletion.php. Manipulation of the argument 'Name' leads to SQL injection.
A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x in an unknown function of the component glnassys. Executing a manipulation can lead to the use of a hard-coded cryptographic key.
A vulnerability was identified in Weaviate up to version 1.37.7, affecting the validateConfig function in the usecases/auth/authentication/apikey/client.go file of the Static API Key Handler component. Manipulation of the StaticApiKey argument leads to authorization bypass.
A vulnerability has been found in D-Link DCS-5615 version 1.01.00, affecting an unknown functionality of the file /etc/conf.d/boa/boa.conf of the Boa Webserver component. Manipulation of this functionality leads to least privilege violation.
A vulnerability was detected in CodeAstro Ingredients Stock Management System 1.0, affecting an unknown function of the file /Ingredients-Stock/add_stock.php. Manipulation of the argument ID results in SQL injection.
A vulnerability has been detected in the TOTOLINK AC1200 T8 device version 4.1.5cu.8611, affecting the file /etc/vsftpd.conf of the vsftpd component. Manipulation of this file leads to least privilege violation.
A weakness has been identified in Tenda AC15 15.03.05.19, related to an unknown function of the file /etc_ro/smb.conf of the Samba component. Manipulating this element can lead to weak password requirements.
A security flaw has been discovered in D-Link DIR-823G 1.0.2B05 in an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Manipulating this element results in least privilege violation.
A flaw has been found in Neovim up to version 0.12.2 in the M.read function of the runtime/lua/vim/secure.lua file, which can lead to command injection. Manipulating the path argument allows for an attack on the local host.
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to version 1.6.0.22, allowing remote SQL injection attacks by manipulating the settings.value argument in the beike/Admin/Routes/admin.php file.
A vulnerability has been found in version 0.35.0 of the Qdrant Backend component in the yoanbernabeu grepai library. The issue affects some unknown processing of the file indexer/chunker.go, leading to the use of a weak hash.
A vulnerability was detected in hs-web hsweb-framework up to version 5.0.1, affecting the OAuth2Client function. The manipulation results in open redirect, which can be exploited remotely.
A vulnerability has been detected in the Kushan2k student management system affecting the edit-admin function in the controllers/AdminController.php file. Manipulation of the isadmin argument leads to improper authorization, allowing for remote exploitation.
A weakness has been identified in the Kushan2k student-management-system affecting the getStatus function in the controllers/GradeController.php file. Manipulating the nic argument can lead to SQL injection, posing a risk for remote attacks.

