CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability was found in Dooblou WiFi File Explorer version 1.13.3 that leads to cross-site scripting (XSS) attacks through manipulation of the search, order, download, or mode arguments. The attack can be launched remotely.
A vulnerability was found in Webile 1.0.1, classified as problematic. It affects an unknown function of the HTTP POST Request Handler component, where manipulation of the argument new_file_name/c leads to cross site scripting.
In HashiCorp Nomad Enterprise versions 1.2.11 to 1.5.6 and 1.4.10, ACL policies using a block without a label generate unexpected results. This issue is fixed in versions 1.6.0, 1.5.7, and 1.4.11.
A flaw was found in the Keylime attestation verifier, which fails to flag a device as untrusted when the TPM quote's signature does not validate. Instead, it only logs an error.
A vulnerability was found in Intergard SGS 8.7.0 affecting unknown code of the SQL Query Handler component. The manipulation leads to cleartext transmission of sensitive information.
A vulnerability was found in Intergard SGS 8.7.0, affecting some unknown functionality of the Password Change Handler component. Manipulation leads to cleartext transmission of sensitive information.
A vulnerability has been identified in GZ Scripts Car Rental Script version 1.8 that allows cross site scripting (XSS) attacks through manipulation of arguments in the /EventBookingCalendar/load.php file. An attacker can remotely exploit this vulnerability by injecting malicious data into the first_name, second_name, phone, address_1, and country fields.
A vulnerability was found in Creativeitem Atlas Business Directory Listing version 2.13, allowing cross-site scripting (XSS) attacks through manipulation of the search_string argument in the /home/search file.
A vulnerability has been found in Creativeitem Atlas Business Directory Listing version 2.13, allowing cross site scripting attacks through manipulation of the price-range argument in the /home/filter_listings file.
A vulnerability was identified in Creativeitem Ekushey Project Manager CRM 5.0 that allows cross site scripting attacks through manipulation of the message argument in the file /index.php/client/message/message_read/xxxxxxxx[random-msg-hash].
A vulnerability has been found in Creativeitem Mastery LMS version 1.2 that allows cross site scripting attacks through manipulation of an argument in the /browse file. The attack can be initiated remotely.
A vulnerability was found in Creativeitem Academy LMS 5.15, rated as problematic. Manipulation of the sort_by argument in the /home/courses file leads to cross-site scripting attacks.
Fides is an open-source privacy engineering platform that is vulnerable to a Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload malicious SVG files, leading to resource exhaustion in Admin UI browser tabs.
Fides is an open-source privacy engineering platform that is vulnerable to a Denial of Service (DoS) attack through the upload of a malicious zip bomb file. Versions of Fides from `2.11.0` to `2.15.1` are affected by this vulnerability, which requires elevated privileges to exploit.
The Mattermost WelcomeBot plugin fails to validate membership status when inviting or adding users to channels, allowing guest accounts to be added by default.
Mattermost fails to delete card attachments in Boards, allowing an attacker to access deleted attachments.
Mattermost fails to properly show information in the UI, allowing a system admin to modify a board state. This allows any user with a valid sharing link to join the board with editor access, without the UI showing the updated permissions.
Mattermost fails to properly check the authorization of POST /api/v4/teams when passing a team override scheme ID in the request. This allows an authenticated attacker with knowledge of a Team Override Scheme ID to create a new team with said team override scheme.
Mattermost fails to properly restrict requests to localhost/intranet during the interactive dialog, which could allow an attacker to perform a limited blind SSRF.
IBM Robotic Process Automation versions 21.0.0 through 21.0.7.6 and 23.0.0 through 23.0.6 are vulnerable to client side validation bypass, which could allow invalid changes or values in some fields.

