CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.15)

CVE-2025-68052
High

The vulnerability allows an unauthenticated Cross-Site Request Forgery (CSRF) attack in Eagle Booking versions up to 1.3.4.3. An attacker can trick an administrator into performing unintended actions, such as changing settings or adding new users.

CVE-2025-66123
Medium

An Insecure Direct Object References (IDOR) vulnerability in BookPro version 1.1.0 and earlier allows an unauthenticated attacker to access resources they should not have permission to. The issue stems from a lack of authorization checks when directly referencing objects.

CVE-2025-64637
Medium

In Auros Core versions up to and including 5.3.1, there is an unauthenticated content injection vulnerability. An attacker without authentication can modify application content.

CVE-2025-64636
Medium

The Donation Thermometer plugin versions up to 2.2.7 contain an unauthenticated broken access control vulnerability. An attacker without authentication can gain unauthorized access to plugin functions.

CVE-2025-63079
Medium

The Live Copy Paste for Elementor plugin in versions 1.5.3 and below contains a vulnerability due to improper access control for contributors. This allows users with the contributor role to perform unauthorized actions.

CVE-2025-63078
Medium

The Restaurant Menu by MotoPress plugin in versions 2.4.11 and earlier contains a vulnerability related to broken access control by subscribers. Users with the subscriber role can gain unauthorized access to restaurant menu management functions.

CVE-2025-63041
Medium

The Forget About Shortcode Buttons plugin in versions 2.1.3 and below contains a vulnerability due to improper access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be reserved for higher roles.

CVE-2026-57940
Low

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

CVE-2026-57926
Low

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack.

CVE-2026-57925
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags.

CVE-2026-57924
Medium

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details.

CVE-2026-57923
Medium

In JetBrains YouTrack before 2026.2.16593, improper authorization in the app configurations endpoint allowed unauthorized modification of project settings.

CVE-2026-57922
Low

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible.

CVE-2026-57921
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint.

CVE-2026-53914
Medium

In JetBrains Kotlin before version 2.4.20, a vulnerability was found that allows code execution via unsafe deserialization in the build cache metadata.

CVE-2026-13426
Medium

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components.

CVE-2026-57920
High

A vulnerability in Peplink InControl 2 up to version 2.14.2 before 2026-06-03 allows bypassing access-control rules for certain /rest/o/{orgId} endpoints by using a semicolon.

CVE-2026-57915
High

A vulnerability in Apache Kerby allows bypassing the Kerberos pre-authentication check by sending a PA-DATA with an unrecognized or unsupported type. The issue is fixed in version 2.1.2.

CVE-2026-40711
High

An OS Command Injection vulnerability in Dell Container Storage Modules (csi-powerstore, csi-unity, csi-powerflex, csi-powermax version 2.16.0) allows a high-privileged attacker with remote access to execute arbitrary operating system commands.

CVE-2025-64152
Critical

A path traversal vulnerability has been discovered in Apache IoTDB, allowing access to files outside the restricted directory. The issue affects versions from 1.0.0 to 1.3.5 and from 2.0.0 to 2.0.6.

PreviousPage 232 of 4643Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS