CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.15)
A Cross Site Scripting (XSS) vulnerability was found in HCLTech DRAGON prior to version 7.6.0. Missing security directives allow a remote attacker to execute arbitrary code in the victim's browser context.
A vulnerability in Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in a local file using a weak obfuscation scheme. The password is 'encrypted' through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value.
A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH DGM1104 allows attackers to inject malicious JavaScript or HTML into the username field. Successful exploitation enables arbitrary script execution in the victim's browser context.
An authenticated command injection vulnerability was discovered in the test_mail function of AVTECH SECURITY DGM1104 (firmware version FullImg-1015-1004-1006-1003). This flaw allows an attacker to execute arbitrary system commands via crafted input.
In ImageMagick, prior to versions 7.1.2-9 and 6.9.13-34, there is a vulnerability in the Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. This leads to memory being freed while leaving a pointer to freed memory, which can result in crashes or heap corruption.
Podatność CVE-2025-13505 dotyczy niewłaściwej neutralizacji danych wejściowych podczas generowania stron internetowych, co prowadzi do ataków typu Cross-site Scripting (XSS). Dotyczy to wersji Datactive od 2.13.34 do przed 2.14.0.6, umożliwiając przechowywane XSS.
W Angularze, przed wersjami 21.0.2, 20.3.15 i 19.2.17, zidentyfikowano podatność typu Stored Cross-Site Scripting (XSS) w kompilatorze szablonów. Problem wynika z niekompletności wewnętrznego schematu zabezpieczeń kompilatora, co pozwala atakującym na obejście wbudowanej sanitizacji bezpieczeństwa Angulara.
Snipe-IT before version 8.3.4 is vulnerable to stored XSS via the Locations "Country" field. A low-privileged authenticated user can inject JavaScript that executes in another user's session.
A stored XSS vulnerability in Snipe-IT before version 8.3.4 allows a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
Podatność w Seneka Software dotycząca niewłaściwego egzekwowania workflow behawioralnego pozwala na niewłaściwe wykorzystanie funkcjonalności. Problem dotyczy wersji Onaylarım od 25.09.26.01 do 18112025.
W podatności CVE-2025-13296 występuje luka typu Cross-Site Request Forgery (CSRF) w oprogramowaniu T-Soft E-Commerce firmy Tekrom Technology Inc. Umożliwia ona przeprowadzenie ataku CSRF.
An IDOR vulnerability in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in temporary unauthorized disclosure of sensitive course, admin, and student data before the system reverts to normal access restrictions.
A stored cross-site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.
A stored cross-site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
Multiple SQL injection vulnerabilities were discovered in SIGB PMB version 8.0.1.14 in the /opac_css/ajax_selector.php component. The flaws exist in the id and datas parameters.
A vulnerability in Blurams Lumi Security Camera (A31C) firmware v23.1227.472.2926 allows a local physical attacker to execute arbitrary code by overwriting the bootloader on the SD card.
YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The issue is in the add() and getPost() functions within ArticleAction.class.php due to improper neutralization of user input in the article title field.
OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. This allows an attacker to inject malicious scripts into the page, which can be executed in the victim's browser.
Podatność CVE-2025-11963 dotyczy niewłaściwej neutralizacji danych wejściowych podczas generowania stron internetowych w StarCities, co pozwala na ataki typu Reflected XSS. Problem ten występuje w wersjach przed 1.1.61.
Podatność CVE-2025-0421 dotyczy niewłaściwego ograniczenia renderowanych warstw interfejsu użytkownika lub ramek w oprogramowaniu Shopside firmy Shopside Software Technologies Inc. Problem ten występuje w wersji Shopside do 05022025, umożliwiając wykorzystanie nakładek iFrame.

