CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.16)
Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network.
In WuKongOpenSource WukongCRM 11.0, a vulnerability in the /adminFile/upload file of the API Response Handler component leads to information exposure through error messages. The attack can be performed remotely, and exploit details are publicly available.
The vulnerability in Operator-SDK before version 0.15.2 involves an insecure user_setup script that sets permissions of the /etc/passwd file to 664 (group-writable) with group ownership root (gid=0) during image build. An attacker who can execute commands within the container, even as a non-root user, can leverage membership in the root group to modify /etc/passwd and add a new user with any arbitrary UID, including 0, leading to full root privileges within the container.
An issue in 4C Strategies Exonaut before version 22.4 allows attackers to perform a directory traversal attack. This vulnerability enables reading files outside the intended directory.
EyouCMS 1.6.7 is vulnerable to Cross Site Scripting (XSS) in /login.php?m=admin&c=System&a=web&lang=cn. An attacker can inject malicious JavaScript code that executes in the victim's browser.
An SSRF vulnerability in Vedo Suite 2024.17 allows authenticated attackers to send HTTP requests to arbitrary external paths via the "file" parameter in the /api_vedo/video/preview endpoint.
A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'.
A vulnerability in Vedo Suite 2024.17 allows unauthenticated remote attackers to obtain a valid high-privilege JWT token by sending an empty HTTP POST request to the /autologin/ endpoint, due to incorrect access control.
A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary JavaScript or HTML code, potentially leading to code execution in the victim's browser.
A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'.
An access control issue was discovered in 4C Strategies Exonaut prior to version 22.4, which may allow unauthorized users to access resources without proper permissions.
A Server-Side Request Forgery (SSRF) vulnerability was discovered in 4C Strategies Exonaut prior to version 21.6.2.1-1. This allows an attacker to send requests from the server to internal network resources.
Insecure permissions were discovered in 4C Strategies Exonaut prior to version 22.4, potentially allowing unauthorized access to resources.
In SSCMS version 7.3.1, the component /stl/actions/download?filePath is vulnerable to directory traversal. This allows an attacker to read arbitrary files outside the intended directory.
A file upload vulnerability exists in Writebot AI Content Generator SaaS React Template through version 4.0.0, allowing remote attackers to escalate privileges via a crafted POST request to the /file-upload endpoint.
A Cross-Site Scripting (XSS) vulnerability was found in SeaCMS before version 13.2 via the 'vid' parameter in Upload/js/player/dmplayer/player. It allows a remote attacker to inject malicious JavaScript code into the page.
An XSS vulnerability in the reconcile method of the AttachmentReconciler class in Halo system v.2.20.18LTS and earlier allows an attacker to inject malicious scripts.
Incorrect access control in CaricaVerbale in Agenzia Impresa Eccobook v2.81.1 allows authenticated attackers with low-level access to escalate privileges to Administrator.
A vulnerability in CPUID cpuz.sys version 1.0.5.4 allows an attacker to use DeviceIoControl with unvalidated parameters to perform RDMSR and WRMSR operations. This enables modification of the MSR_LSTAR register and hooking of the KiSystemCall64 syscall, followed by ROP-based exploitation to disable the SMAP flag in CR4 and execute code in kernel context.
An infinite recursion vulnerability was found in Artifex MuPDF versions 1.25.5 and 1.25.6 within the `mutool clean` utility. A remote attacker can cause a denial of service (DoS) by supplying a crafted PDF file with cyclic /Next references in the outline structure.

