CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
A vulnerability has been found in SourceCodester Online Discussion Forum Site version 1.0 that allows cross site scripting (XSS) attacks through manipulation of the 'content' argument in the file admin\posts\manage_post.php.
A vulnerability in the CLI tool notation allows an attacker who has compromised a registry to add a high number of signatures to an artifact, potentially leading to denial of service on the machine when a user runs the 'notation inspect' command.
A vulnerability has been found in Dahua Smart Parking Management up to version 20230528, leading to server-side request forgery through manipulation of the fileUrl argument. Exploitation of this vulnerability may allow unauthorized access to server resources.
A vulnerability has been found in X-WRT luci up to version 22.10_b202303061504, affecting the run_action function in the modules/luci-base/ucode/dispatcher.uc file. Manipulation of the request_path argument leads to cross site scripting.
Xpdf has a vulnerability related to excessively large PDF page sizes, which can lead to a divide-by-zero error in the text extraction code. This issue was discovered during fuzz testing and is unlikely to occur in normal PDF files.
A vulnerability has been found in the Agro-School Management System 1.0 affecting the doAddQuestion function in the btn_functions.php file. Manipulation of the Question argument leads to cross-site scripting (XSS) attacks.
A vulnerability was found in 07FLY CRM up to version 1.2.0, leading to cross site scripting (XSS) attacks through manipulation of the User Profile Handler component code. The attack can be initiated remotely.
In JetBrains Ktor versions before 2.3.1, headers containing authentication data could be added to the exception's message.
A vulnerability has been found in Guangdong Pythagorean OA Office System up to version 4.50.31, affecting an unknown functionality of the Schedule Handler component. Manipulation of the argument 'description' leads to cross site scripting.
A vulnerability was found in SourceCodester Lost and Found Information System 1.0 that allows basic cross site scripting attacks through manipulation of the First Name/Middle Name/Last Name arguments on the Manage User Page.
A vulnerability was found in yiwent Vip Video Analysis 1.0, affecting some unknown functionality of the file admin/admincore.php. The manipulation leads to cross site scripting (XSS) attacks that can be launched remotely.
A vulnerability was found in BeipyVideoResolution up to version 2.6, allowing cross site scripting attacks through manipulation in an unknown function of the file admin/admincore.php.
A vulnerability was found in SourceCodester Local Service Search Engine Management System version 1.0 that allows cross-site scripting (XSS) attacks through manipulation of the POST parameter in the /admin/ajax.php file. Inputting a malicious script like <script>alert(document.cookie)</script> can lead to unauthorized access to user data.
The Calendar app for Nextcloud discloses some internal paths of the website when the SMTP server is unavailable. It is recommended to update the Calendar app to version 3.5.5 or 4.2.3.
Nextcloud Mail is a mail app in Nextcloud that is vulnerable to a blind SSRF attack. This attack allows sending GET requests to services running on the same web server.
Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload.
The Object module in Liferay Portal versions 7.4.3.4 to 7.4.3.60 and Liferay DXP 7.4 before update 61 does not segment object definitions by virtual instance in searches. This allows remote authenticated users in one virtual instance to view object definitions from a second virtual instance.
The Object module in Liferay Portal versions 7.4.3.4 to 7.4.3.48 and Liferay DXP 7.4 before update 49 does not properly isolate objects in different virtual instances. This allows remote authenticated users in one virtual instance to view objects in a different virtual instance via the OAuth 2 scope administration page.
Jenkins SAML Single Sign On (SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: General/Core Client) affects versions 8.0.28 and prior. It allows an unauthenticated attacker with access to the infrastructure where MySQL Shell runs to compromise it, requiring interaction from a person other than the attacker.

