CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-3011
Medium

The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the recipe block's 'summary' and 'notes' attributes in all versions up to and including 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied.

CVE-2026-11569
Medium

A flaw was found in Quay that allows authenticated users with repository write access to upload SVG files containing JavaScript. The file is stored and served through the CDN, enabling stored cross-site scripting.

CVE-2026-11510
Medium

A security flaw has been discovered in CodeAstro Leave Management System 1.0, affecting an unknown part of the file /admin/add_leave.php. Manipulating the argument type_of_leave results in SQL injection.

CVE-2026-11509
Medium

A vulnerability was identified in CodeAstro Leave Management System 1.0. The issue affects some unknown functionality of the file /admin/search_staff_for_updation.php, where manipulation of the argument 'Name' leads to SQL injection.

CVE-2026-11508
Medium

A vulnerability was identified in CodeAstro Leave Management System version 1.0, affecting an unknown functionality of the file /admin/search_staff_to_assign_pc.php. Manipulation of the argument 'Name' leads to SQL injection.

CVE-2026-11507
Medium

A vulnerability was found in CodeAstro Leave Management System 1.0 affecting an unknown function of the file /admin/delete_leave_type.php. Manipulation of the argument leave_type results in SQL injection.

CVE-2026-11506
Medium

A vulnerability has been found in CodeAstro Leave Management System 1.0, affecting an unknown function of the file /admin/search_staff_for_deletion.php. Manipulation of the argument 'Name' leads to SQL injection.

CVE-2026-11505
Medium

A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x in an unknown function of the component glnassys. Executing a manipulation can lead to the use of a hard-coded cryptographic key.

CVE-2026-11500
Medium

A vulnerability was identified in Weaviate up to version 1.37.7, affecting the validateConfig function in the usecases/auth/authentication/apikey/client.go file of the Static API Key Handler component. Manipulation of the StaticApiKey argument leads to authorization bypass.

CVE-2026-11497
Medium

A vulnerability has been found in D-Link DCS-5615 version 1.01.00, affecting an unknown functionality of the file /etc/conf.d/boa/boa.conf of the Boa Webserver component. Manipulation of this functionality leads to least privilege violation.

CVE-2026-11495
Medium

A vulnerability was detected in CodeAstro Ingredients Stock Management System 1.0, affecting an unknown function of the file /Ingredients-Stock/add_stock.php. Manipulation of the argument ID results in SQL injection.

CVE-2026-11494
Medium

A vulnerability has been detected in the TOTOLINK AC1200 T8 device version 4.1.5cu.8611, affecting the file /etc/vsftpd.conf of the vsftpd component. Manipulation of this file leads to least privilege violation.

CVE-2026-11493
Medium

A weakness has been identified in Tenda AC15 15.03.05.19, related to an unknown function of the file /etc_ro/smb.conf of the Samba component. Manipulating this element can lead to weak password requirements.

CVE-2026-11492
Medium

A security flaw has been discovered in D-Link DIR-823G 1.0.2B05 in an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Manipulating this element results in least privilege violation.

CVE-2026-11487
Medium

A flaw has been found in Neovim up to version 0.12.2 in the M.read function of the runtime/lua/vim/secure.lua file, which can lead to command injection. Manipulating the path argument allows for an attack on the local host.

CVE-2026-11480
Medium

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to version 1.6.0.22, allowing remote SQL injection attacks by manipulating the settings.value argument in the beike/Admin/Routes/admin.php file.

CVE-2026-11479
Medium

A vulnerability has been found in version 0.35.0 of the Qdrant Backend component in the yoanbernabeu grepai library. The issue affects some unknown processing of the file indexer/chunker.go, leading to the use of a weak hash.

CVE-2026-11477
Medium

A vulnerability was detected in hs-web hsweb-framework up to version 5.0.1, affecting the OAuth2Client function. The manipulation results in open redirect, which can be exploited remotely.

CVE-2026-11476
Medium

A vulnerability has been detected in the Kushan2k student management system affecting the edit-admin function in the controllers/AdminController.php file. Manipulation of the isadmin argument leads to improper authorization, allowing for remote exploitation.

CVE-2026-11475
Medium

A weakness has been identified in the Kushan2k student-management-system affecting the getStatus function in the controllers/GradeController.php file. Manipulating the nic argument can lead to SQL injection, posing a risk for remote attacks.

PreviousPage 162 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS