CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.
Missing authorization in TUBITAK BILGEM's pardus-software allows argument injection. The vulnerability affects versions 1.0.4 and earlier, before version 1.0.5.
An argument injection vulnerability in TUBITAK BILGEM Software Technologies Research Institute's pardus-software allows attackers to inject additional arguments into commands due to improper neutralization of argument delimiters. The issue affects versions up to 1.0.4 and is fixed in version 1.0.5.
A vulnerability in Dell PowerProtect Data Domain allows the use of an externally controlled format string. A highly privileged attacker with remote access could exploit this flaw to cause information disclosure and denial of service.
Dell PowerProtect Data Domain in multiple versions contains an improper link resolution before file access vulnerability. It allows a high privileged attacker with remote access to disclose sensitive information.
Dell PowerProtect Data Domain in multiple versions contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership check (user_id/company_id) before deletion enables unauthorized data destruction.
A vulnerability in the Net::IP::LPM library for Perl up to version 1.10 allows a heap out-of-bounds read via an unbounded prefix length. The add() function passes the prefix string to the trie builder without checking it against the address width, causing reads beyond the packed address buffer.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with local access could exploit this flaw to execute arbitrary commands.
Dell PowerProtect Data Domain in multiple versions contains an OS command injection vulnerability. A high-privileged attacker with remote access could exploit this flaw to execute arbitrary commands.
This CVE has been rejected by Red Hat Product Security as not required. The reported issue has been classified as a regular bug and will be addressed through the standard bug-fixing process.
A vulnerability in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0 allows a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.
In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC endpoint accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.
In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.
The RTMKit (rometheme-for-elementor) plugin for WordPress up to version 2.0.7 inclusive is vulnerable to Local File Inclusion. This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization.
A SQL injection vulnerability was found in Destekz by Raera - Ankara Web Design and Digital Advertising Agency, due to improper neutralization of special elements in SQL commands. The issue affects versions up to 02062026, and the vendor confirmed the product is no longer supported.
The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to and including 2.2.1 due to insufficient input sanitization and output escaping.
A Path Traversal vulnerability in the Lucene.Net.Replicator library of Apache Lucene.Net allows an attacker to access files outside the restricted directory. The issue affects versions from 4.8.0-beta00005 through 4.8.0-beta00017.
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress versions up to 2.8.16 is vulnerable to Insecure Direct Object Reference (IDOR). The replace_ai_tags() function processes the {reusable-block-N} tag pattern without verifying user capabilities, allowing authenticated attackers with Contributor-level access or higher to read the full content of arbitrary posts, including Private, Draft, Pending, Trashed, and password-protected posts owned by other users.
The CURCY – Multi Currency for WooCommerce plugin for WordPress up to version 2.2.14 allows unauthenticated attackers to execute arbitrary shortcodes. This vulnerability is due to insufficient validation of a value before passing it to the do_shortcode function.

