CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
In Streambert versions 2.4.0 and prior, a Zip Slip vulnerability was identified in the subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing for path traversal attacks and writing arbitrary files to the host filesystem.
AI Lab versions below 5.4.2 are vulnerable to unauthenticated PHP object injection.
Versions of Blocksy Companion Pro up to 2.1.37 have a vulnerability allowing remote code execution (RCE) by unauthorized users.
In Charity Zone versions <= 1.1.1, there is a vulnerability that allows subscribers to upload arbitrary files.
In Kids Gift Shop versions <= 0.5.4, there is a vulnerability allowing arbitrary file uploads by subscribers.
In Ecommerce Zone versions <= 0.9.7, there is a vulnerability that allows subscribers to upload arbitrary files.
In Restaurant Zone versions <= 0.7.8, there is a vulnerability allowing arbitrary file uploads by subscribers.
There is an unauthenticated PHP Object Injection vulnerability in WooCommerce Product Filters versions below 2.0.6.
There is an unauthenticated SQL injection vulnerability in Blocksy Companion Pro versions below 2.1.29.
In Webenvo versions <= 0.0.6, there is a vulnerability that allows subscribers to upload arbitrary files.
There is an unauthenticated PHP Object Injection vulnerability in Elementra versions <= 1.0.9.
Unauthenticated SQL Injection exists in ListingPro versions <= 2.9.10.
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects versions before 3.4.2.
Missing authorization check in DataSource API leads to arbitrary data source metadata disclosure in Apache DolphinScheduler.
Nifty versions up to 1.4.1 are vulnerable to unauthenticated PHP object injection.
In Support Board versions below 3.8.9, there is a vulnerability that allows unauthenticated privilege escalation.
The Elementor (Premium) plugin versions up to 2.0.6 contain a vulnerability that allows unauthorized file uploads by users with appropriate permissions.
The ACPT (Pro) - Custom Post Types Plugin for WordPress has a vulnerability due to improper control of code generation, allowing for remote code injection.
In WishList Member X versions up to 3.29.0, there is a vulnerability that allows subscribers to upload arbitrary files.
Versions of MetForm Pro <= 3.9.1 have an unauthenticated broken access control vulnerability that may allow attackers to access resources they should not have access to.

