CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-49813
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-14460
High

Missing authorization in TUBITAK BILGEM's pardus-software allows argument injection. The vulnerability affects versions 1.0.4 and earlier, before version 1.0.5.

CVE-2026-14459
High

An argument injection vulnerability in TUBITAK BILGEM Software Technologies Research Institute's pardus-software allows attackers to inject additional arguments into commands due to improper neutralization of argument delimiters. The issue affects versions up to 1.0.4 and is fixed in version 1.0.5.

CVE-2026-46465
Medium

A vulnerability in Dell PowerProtect Data Domain allows the use of an externally controlled format string. A highly privileged attacker with remote access could exploit this flaw to cause information disclosure and denial of service.

CVE-2026-46464
Medium

Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with remote access to disclose sensitive information.

CVE-2026-46463
Medium

Dell PowerProtect Data Domain in multiple versions contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.

CVE-2026-59234
Medium

A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership check (user_id/company_id) before deletion enables unauthorized data destruction.

CVE-2026-56015
Critical

A vulnerability in the Net::IP::LPM library for Perl up to version 1.10 allows a heap out-of-bounds read via an unbounded prefix length. The add() function passes the prefix string to the trie builder without checking it against the address width, causing reads beyond the packed address buffer.

CVE-2026-54483
Medium

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.

CVE-2026-26355
MediumEPSS 60%

Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary commands.

CVE-2026-50238
Unknown

This CVE has been rejected by Red Hat Product Security as not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.

CVE-2026-13341
High

A vulnerability in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0 allows a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

CVE-2026-10055
High

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC endpoint accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.

CVE-2026-10054
High

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.

CVE-2026-5137
Medium

The RTMKit (rometheme-for-elementor) plugin for WordPress up to version 2.0.7 inclusive is vulnerable to Local File Inclusion. This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization.

CVE-2026-4321
Critical

A SQL injection vulnerability was found in Destekz by Raera - Ankara Web Design and Digital Advertising Agency, due to improper neutralization of special elements in SQL commands. The issue affects versions up to 02062026, and the vendor confirmed the product is no longer supported.

CVE-2026-9756
Medium

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.

CVE-2026-47896
High

A Path Traversal vulnerability in the Lucene.Net.Replicator library of Apache Lucene.Net allows an attacker to access files outside the restricted directory. The issue affects versions from 4.8.0-beta00005 through 4.8.0-beta00017.

CVE-2026-11900
Medium

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress versions up to 2.8.16 is vulnerable to Insecure Direct Object Reference (IDOR). The replace_ai_tags() function processes the {reusable-block-N} tag pattern without verifying user capabilities, allowing authenticated attackers with Contributor-level access or higher to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users.

CVE-2026-11778
Medium

The CURCY – Multi Currency for WooCommerce plugin for WordPress up to version 2.2.14 allows unauthenticated attackers to execute arbitrary shortcodes. This vulnerability is due to insufficient validation of a value before passing it to the do_shortcode function.

PreviousPage 18 of 4505Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS