CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
A heap use-after-free vulnerability was found in the libblkid library of util-linux. During nested partition probing, a pointer to a parent partition entry becomes stale after array reallocation, allowing an attacker to read freed memory.
A SQL injection vulnerability has been found in itsourcecode Baptism Information Management System 1.0 in the /editBaptism.php file. An attacker can remotely manipulate the ID argument, leading to SQL injection. The exploit has been publicly disclosed.
A SQL injection vulnerability has been found in itsourcecode Baptism Information Management System 1.0 in the file /delbaptism.php. An unknown function mishandles the ID argument, allowing remote exploitation. The exploit is publicly available and could be used in attacks.
A security flaw in CodeAstro Complaint Management System 1.0 allows remote authorization bypass via the deletereport function in Report.php. The exploit is publicly available.
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the /doctortimings.php file. Remote attackers can manipulate the editid argument to inject SQL code. The exploit is publicly available.
A vulnerability was found in Hanwang e-Face General Management Platform 6.3.5.4, allowing unrestricted file upload. The issue affects the /manage/resourceUpload/upload.do endpoint, where manipulation of the File argument enables remote upload of arbitrary files. The exploit has been publicly disclosed and may be used.
A missing authentication vulnerability was found in Feehi CMS up to version 2.1.1 in the REST API endpoint /api/articles. The attack can be performed remotely without authentication, and exploit details are publicly available.
A vulnerability was found in D-Link DCS-935L camera firmware version 1.10.01, allowing OS command injection. The issue resides in the sub_400E40 function of the setconf.cgi file, where the UID argument is mishandled by the POST Parameter Handler component. The attack can be launched remotely, and exploit details are publicly available.
The F4 Post Tree WordPress plugin before version 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.
A vulnerability has been found in Feehi CMS up to version 2.1.1 in the file /api/users of the API component. Unknown functionality of this file causes improper access controls, allowing remote attacks. The exploit has been published and may be used.
A vulnerability was found in Documenso up to version 2.11.0 in the Google OAuth Login component. An unknown function in handle-oauth-callback-url.ts leads to improper authentication. The attack can be launched remotely but is difficult to exploit due to high complexity.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /doctorprofile.php file. An attacker can remotely manipulate the doctorname argument, leading to SQL injection. The exploit has been publicly disclosed.
A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /doctorchangepassword.php file. Manipulating the newpassword argument allows remote exploitation. The exploit is publicly available, increasing the risk of attacks.
A server-side request forgery (SSRF) vulnerability has been discovered in GitBucket up to version 4.46.1 in the Git.cloneRepository.setURI function. Manipulating the url argument in RepositoryCreationService.scala allows remote exploitation. The exploit is public, and applying a patch is recommended.
A stack-based buffer overflow vulnerability was found in Wavlink WL-NU516U1-A firmware M16U1_V240425 in the sub_407504 function of /cgi-bin/wireless.cgi. Manipulation of the Guest_ssid argument in the POST Parameter Handler allows remote code execution. The exploit is publicly available.
The APCu Manager WordPress plugin before version 4.5.0 fails to escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. Cache keys derived from unsanitized user input (e.g., a transient name created by an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.
Information exposure vulnerability in Hitachi Storage Navigator. This flaw affects multiple Hitachi Virtual Storage Platform models before specific DKCMAIN and SVP software versions.
An improper authorization vulnerability has been discovered in the maintenance utility of Hitachi Virtual Storage Platform systems. This flaw allows unauthorized access to maintenance functions, potentially compromising data integrity and confidentiality.
Hitachi Virtual Storage Platform One Block 23, 24, 26, 28 lack firmware update validation. This issue affects versions before DKCMAIN A3-04-21-40/00 and ESM A3-04-21/00.
In the Linux kernel AMD64 AGP driver, a vulnerability was found due to incorrect error checking of the return value from cache_nbs(). When no physical AMD northbridge is present (e.g., in virtualized environments), the function returns -ENODEV, but the code only checks for -1, masking the error and leading to a NULL pointer dereference in amd64_fetch_size().

