CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability in UniFi OS allows unauthorized changes to devices by an attacker with network access under certain network configurations. The flaw is due to improper access control.
An SSRF vulnerability in UniFi Protect Application allows an attacker with network access and low privileges to escalate privileges on the host device.
A vulnerability in UniFi OS allows an attacker with network access and low privileges to execute command injection on the host device due to improper input validation.
A vulnerability in UniFi Access Application allows privilege escalation on the host device. An attacker with network access and high privileges can exploit improper access control.
A vulnerability in UniFi Access Application allows an attacker with network access and low privileges to execute command injection on the host device due to improper input validation.
An authenticated SQL Injection vulnerability in UniFi Talk Application allows a network-accessible attacker with low privileges to escalate privileges on the host device.
A vulnerability in the UniFi Connect application allows an attacker with network access to execute command injection on the host device due to improper access control.
Missing authentication for a critical function in TR7 Cyber Defense Inc. WAF-ASP allows authentication abuse. The vulnerability affects versions from v1.0.324.900 before v1.4.0.117.
The Divi Form Builder plugin for WordPress up to version 5.1.8 is vulnerable to arbitrary file upload leading to remote code execution. The issue is due to insufficient file extension validation in the do_image_upload() function, where the acceptFileTypes POST parameter is directly interpolated into a regular expression. Attackers can upload files with .phtml, .phar, .php5, or .php7 extensions, bypassing .htaccess protection that only blocks .php files.
The WP Fast Total Search plugin version 1.80.280 and earlier contains an unauthenticated SQL injection vulnerability. An attacker without authentication can send crafted queries to the database.
GeekyBot versions up to 1.2.5 are vulnerable to unauthenticated SQL injection. An attacker can remotely execute arbitrary SQL queries without authentication.
The Novalnet Payment Gateway for WooCommerce plugin version 12.10.3 and earlier is vulnerable to unauthenticated PHP Object Injection. An attacker can remotely send a crafted request, leading to arbitrary PHP code execution on the server.
The Admin and Site Enhancements (ASE) Pro plugin version 8.8.5 and earlier contains an unauthenticated Cross Site Scripting (XSS) vulnerability. An attacker can inject malicious script without requiring authentication.
The Blocksy Companion Pro plugin version 2.1.46 and earlier contains a critical vulnerability allowing unauthenticated remote code execution (RCE). The vulnerability stems from missing authentication in one of the API endpoints.
The W3 Total Cache plugin versions up to 2.9.4 contain a critical vulnerability allowing unauthenticated remote arbitrary code execution. The flaw stems from insufficient input validation in the caching mechanism.
The Booktics plugin version 1.0.21 and earlier contains an unauthenticated PHP Object Injection vulnerability. An attacker can remotely inject a malicious PHP object without authentication.
The Five Star Business Profile and Schema WordPress plugin version 2.3.19 and earlier contains an editor arbitrary code execution vulnerability. An attacker can exploit this flaw to gain full control over the website.
The Zegen plugin in versions 1.1.9 and earlier allows a subscriber to upload arbitrary files to the server. This vulnerability can be exploited to upload malicious software without proper authorization.
A path traversal vulnerability in the Git Service component of Altium Enterprise Server and Altium 365 allows an authenticated user with basic git access to move arbitrary files outside the intended repository area. This can lead to remote code execution under the Git Service account by placing attacker-controlled scripts into directories executed by the service.
A use-after-free vulnerability in the ANGLE component of Google Chrome prior to 150.0.7871.46 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

