CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
In JobSearch versions up to 3.2.9, there is an unauthenticated SQL Injection vulnerability that can be exploited by an attacker to execute unauthorized queries against the database.
There is an unauthenticated PHP object injection vulnerability in JetEngine versions up to 3.8.10.
SigmaForms Pro – AI Generated Forms versions up to 1.4.5 contain a vulnerability allowing unauthenticated arbitrary file uploads.
A path traversal vulnerability in the SFTP provider allows a malicious or compromised remote SFTP server to write files outside the configured local destination directory. No Airflow account is required, and the attack surface includes any deployment downloading directories from an untrusted SFTP server.
There is a vulnerability in wpForo Forum versions up to 3.1.0 related to unauthenticated broken authentication.
Thrive Apprentice versions below 10.8.10.2 are vulnerable to unauthenticated PHP object injection.
JetEngine versions below 3.8.9.1 are vulnerable to unauthenticated SQL injection.
There is an unauthenticated SQL injection vulnerability in wpDataTables versions up to 7.3.6.
JetSearch versions up to 3.5.17 are vulnerable to unauthenticated SQL injection, potentially allowing unauthorized access to data.
There is an unauthenticated SQL injection vulnerability in JetEngine versions up to 3.8.9.1.
JetEngine versions up to 3.8.9.1 are vulnerable to PHP Object Injection, which may lead to unauthorized access to data.
LoginPress Pro versions up to 6.2.2 contain a vulnerability allowing unauthenticated privilege escalation.
There is an unauthenticated SQL Injection vulnerability in JetSmartFilters versions up to 3.8.1.
The Backpropagate library in versions 1.1.0 and 1.1.1 has a vulnerability that allows access to the user interface without authentication. This enables attackers to upload data, trigger training runs, and access models without any security.
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, an attacker could exploit a vulnerability in the Skool integration to forge a SUPERADMIN session, allowing impersonation of arbitrary organizations.
The Traccar Client app, used for GPS tracking, is vulnerable in versions 9.7.19 and below to an attack that allows hijacking GPS tracking parameters via a crafted deep link. Such a link can change the app's configuration without confirmation, redirecting telemetry data to an attacker-controlled server.
Rocket.Chat versions below 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 have an access control vulnerability in Livechat files. The authorization process for downloading protected files does not verify that rc_rid matches the requested file, allowing unauthenticated discovery of all uploaded files.
In Streambert versions 2.4.0 and prior, a Zip Slip vulnerability was identified in the subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing for path traversal attacks and writing arbitrary files to the host filesystem.
AI Lab versions below 5.4.2 are vulnerable to unauthenticated PHP object injection.
Versions of Blocksy Companion Pro up to 2.1.37 have a vulnerability allowing remote code execution (RCE) by unauthorized users.

