CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-48055
CriticalEPSS 53%

In Streambert versions 2.4.0 and prior, a Zip Slip vulnerability was identified in the subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing for path traversal attacks and writing arbitrary files to the host filesystem.

CVE-2026-42380
Critical

AI Lab versions below 5.4.2 are vulnerable to unauthenticated PHP object injection.

CVE-2026-40783
Critical

Versions of Blocksy Companion Pro up to 2.1.37 have a vulnerability allowing remote code execution (RCE) by unauthorized users.

CVE-2026-40749
Critical

In Charity Zone versions <= 1.1.1, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-40748
Critical

In Kids Gift Shop versions <= 0.5.4, there is a vulnerability allowing arbitrary file uploads by subscribers.

CVE-2026-40747
Critical

In Ecommerce Zone versions <= 0.9.7, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-40746
Critical

In Restaurant Zone versions <= 0.7.8, there is a vulnerability allowing arbitrary file uploads by subscribers.

CVE-2026-40725
Critical

There is an unauthenticated PHP Object Injection vulnerability in WooCommerce Product Filters versions below 2.0.6.

CVE-2026-39596
Critical

There is an unauthenticated SQL injection vulnerability in Blocksy Companion Pro versions below 2.1.29.

CVE-2026-39589
Critical

In Webenvo versions <= 0.0.6, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-39529
Critical

There is an unauthenticated PHP Object Injection vulnerability in Elementra versions <= 1.0.9.

CVE-2026-39438
Critical

Unauthenticated SQL Injection exists in ListingPro versions <= 2.9.10.

CVE-2026-32967
Critical

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects versions before 3.4.2.

CVE-2026-32966
Critical

Missing authorization check in DataSource API leads to arbitrary data source metadata disclosure in Apache DolphinScheduler.

CVE-2026-27429
Critical

Nifty versions up to 1.4.1 are vulnerable to unauthenticated PHP object injection.

CVE-2026-27395
Critical

In Support Board versions below 3.8.9, there is a vulnerability that allows unauthenticated privilege escalation.

CVE-2026-27041
Critical

The Elementor (Premium) plugin versions up to 2.0.6 contain a vulnerability that allows unauthorized file uploads by users with appropriate permissions.

CVE-2026-25470
Critical

The ACPT (Pro) - Custom Post Types Plugin for WordPress has a vulnerability due to improper control of code generation, allowing for remote code injection.

CVE-2026-25446
Critical

In WishList Member X versions up to 3.29.0, there is a vulnerability that allows subscribers to upload arbitrary files.

CVE-2026-24611
Critical

Versions of MetForm Pro <= 3.9.1 have an unauthenticated broken access control vulnerability that may allow attackers to access resources they should not have access to.

PreviousPage 25 of 552Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS