CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2022-50953
Medium

The WordPress Plugin admin-word-count-column version 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter.

CVE-2021-47984
Medium

The WordPress Plugin WP24 Domain Check version 1.6.2 contains a stored XSS vulnerability that allows authenticated attackers to inject malicious scripts via the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page.

CVE-2021-47983
Medium

The WordPress Plugin Stripe Payments version 2.0.39 contains a stored XSS vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed.

CVE-2021-47982
Medium

The WordPress Plugin WP-Paginate version 2.1.3 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter.

CVE-2026-11473
Medium

A vulnerability was identified in jflyfox jfinal_cms up to version 5.1.0, affecting the list function in the AdvicefeedbackController.java file. Manipulation of the argument orderBy leads to SQL injection.

CVE-2026-11470
Medium

A vulnerability has been found in hs-web hsweb-framework up to version 5.0.1, affecting the denied function in the FileUploadProperties.java file. Manipulation of the filename argument leads to path traversal, which can be exploited remotely.

CVE-2026-11469
Medium

A flaw has been found in jishenghua jshERP up to version 3.6 in the insertPlatformConfig function, which can lead to server-side request forgery (SSRF). Manipulating the platformValue argument allows for remote exploitation.

CVE-2026-11467
Medium

A security vulnerability has been detected in jishenghua jshERP up to version 3.6, affecting the addAccountHeadAndDetail function in the AccountHeadService.java file. Manipulation of the fileName argument leads to path traversal, which can be executed remotely.

CVE-2026-11466
Medium

A weakness has been identified in zilliztech deep-searcher up to version 0.0.2, affecting the function CollectionRouter.invoke in the file deepsearcher/agent/collection_router.py. Manipulation of the argument kwargs leads to improper access controls.

CVE-2026-11461
Medium

A vulnerability has been found in NousResearch hermes-agent up to version 0.12.0, affecting the function resolve_session_by_title in the file hermes_state.py of the resume Endpoint component. Manipulation of the argument Title leads to authorization bypass.

CVE-2026-11458
Medium

A weakness has been identified in erzhongxmu JeeWMS up to version 141740afb2ba14d441c82a833d0a418d07ca2d69, affecting some unknown processing of the file /base-boot/actuator of the Boot Actuator Endpoint component. Manipulating this file may lead to information disclosure.

CVE-2026-11455
Medium

A vulnerability CVE-2026-11455 was identified in FoundationAgents MetaGPT up to version 0.8.2 in the function check_cmd_exists of the file metagpt/utils/common.py. Manipulation of the argument mermaid.path leads to command injection.

CVE-2026-11453
Medium

A vulnerability was found in Tiobon Employee Self-Service System up to version 7.2, affecting an unknown functionality of the file /Blog/BlogSearch.aspx in the Login Endpoint component. Manipulation of the argument Keyword results in SQL injection, which can be exploited remotely.

CVE-2026-11449
MediumEPSS 73%

A vulnerability has been detected in GL.iNet GL-MT3000 version 4.4.5, concerning the rpc_sys function in the /cgi-bin/luci/rpc file of the LuCI JSON-RPC Interface. Manipulation of this function leads to command injection.

CVE-2026-11448
Medium

A weakness has been identified in GL.iNet GL-MT3000 up to version 4.4.5, affecting the realpath function in the /rpc file of the Minidlna Service component. Manipulation of the kube.set argument leads to command injection.

CVE-2026-11447
Medium

A security flaw has been discovered in GL.iNet GL-MT3000 up to version 4.4.5 in the iwinfo_backend function of the iwinfo.so file of the MTK Backend component. Manipulation of the device argument results in command injection, which can be executed remotely.

CVE-2026-11441
Medium

A vulnerability was identified in onedev up to version 15.0.5, affecting the canAccessIssue function in the /issues/ file of the Pull Request Handler component. Manipulation of the issue argument leads to improper authorization.

CVE-2026-11440
Medium

A vulnerability was determined in theonedev up to version 15.0.5, affecting an unknown part of the file /repositories/{projectId}/default-branch of the REST API component. Manipulation of the argument project.defaultBranch causes improper authorization.

CVE-2026-11439
Medium

A vulnerability was found in onedev up to version 15.0.5, affecting some unknown functionality of the file /projects/ in the Parent Project Handler component. Manipulation of the argument project.parentId results in improper authorization.

CVE-2026-11438
Medium

A vulnerability has been found in theonedev up to version 15.0.5, affecting an unknown functionality of the file /projects. Manipulation of the argument project.forkedFromId leads to improper authorization.

PreviousPage 163 of 560Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS