CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
The WordPress Plugin admin-word-count-column version 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter.
The WordPress Plugin WP24 Domain Check version 1.6.2 contains a stored XSS vulnerability that allows authenticated attackers to inject malicious scripts via the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.
The WordPress Plugin Stripe Payments version 2.0.39 contains a stored XSS vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.
The WordPress Plugin WP-Paginate version 2.1.3 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter.
A vulnerability was identified in jflyfox jfinal_cms up to version 5.1.0, affecting the list function in the AdvicefeedbackController.java file. Manipulation of the argument orderBy leads to SQL injection.
A vulnerability has been found in hs-web hsweb-framework up to version 5.0.1, affecting the denied function in the FileUploadProperties.java file. Manipulation of the filename argument leads to path traversal, which can be exploited remotely.
A flaw has been found in jishenghua jshERP up to version 3.6 in the insertPlatformConfig function, which can lead to server-side request forgery (SSRF). Manipulating the platformValue argument allows for remote exploitation.
A security vulnerability has been detected in jishenghua jshERP up to version 3.6, affecting the addAccountHeadAndDetail function in the AccountHeadService.java file. Manipulation of the fileName argument leads to path traversal, which can be executed remotely.
A weakness has been identified in zilliztech deep-searcher up to version 0.0.2, affecting the function CollectionRouter.invoke in the file deepsearcher/agent/collection_router.py. Manipulation of the argument kwargs leads to improper access controls.
A vulnerability has been found in NousResearch hermes-agent up to version 0.12.0, affecting the function resolve_session_by_title in the file hermes_state.py of the resume Endpoint component. Manipulation of the argument Title leads to authorization bypass.
A weakness has been identified in erzhongxmu JeeWMS up to version 141740afb2ba14d441c82a833d0a418d07ca2d69, affecting some unknown processing of the file /base-boot/actuator of the Boot Actuator Endpoint component. Manipulating this file may lead to information disclosure.
A vulnerability CVE-2026-11455 was identified in FoundationAgents MetaGPT up to version 0.8.2 in the function check_cmd_exists of the file metagpt/utils/common.py. Manipulation of the argument mermaid.path leads to command injection.
A vulnerability was found in Tiobon Employee Self-Service System up to version 7.2, affecting an unknown functionality of the file /Blog/BlogSearch.aspx in the Login Endpoint component. Manipulation of the argument Keyword results in SQL injection, which can be exploited remotely.
A vulnerability has been detected in GL.iNet GL-MT3000 version 4.4.5, concerning the rpc_sys function in the /cgi-bin/luci/rpc file of the LuCI JSON-RPC Interface. Manipulation of this function leads to command injection.
A weakness has been identified in GL.iNet GL-MT3000 up to version 4.4.5, affecting the realpath function in the /rpc file of the Minidlna Service component. Manipulation of the kube.set argument leads to command injection.
A security flaw has been discovered in GL.iNet GL-MT3000 up to version 4.4.5 in the iwinfo_backend function of the iwinfo.so file of the MTK Backend component. Manipulation of the device argument results in command injection, which can be executed remotely.
A vulnerability was identified in onedev up to version 15.0.5, affecting the canAccessIssue function in the /issues/ file of the Pull Request Handler component. Manipulation of the issue argument leads to improper authorization.
A vulnerability was determined in theonedev up to version 15.0.5, affecting an unknown part of the file /repositories/{projectId}/default-branch of the REST API component. Manipulation of the argument project.defaultBranch causes improper authorization.
A vulnerability was found in onedev up to version 15.0.5, affecting some unknown functionality of the file /projects/ in the Parent Project Handler component. Manipulation of the argument project.parentId results in improper authorization.
A vulnerability has been found in theonedev up to version 15.0.5, affecting an unknown functionality of the file /projects. Manipulation of the argument project.forkedFromId leads to improper authorization.

