CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-57966
Medium

A path traversal vulnerability was found in spice-vdagent. It allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. The issue occurs because the filename provided by the SPICE host during file transfers is not properly sanitized.

CVE-2026-57965
Medium

An integer overflow vulnerability was found in spice-vdagent. A malicious or compromised SPICE host can send a crafted message, leading to a heap buffer overflow and crash of the spice-vdagent daemon. This results in a Denial of Service (DoS) for the virtual machine.

CVE-2026-57676
Medium

The Simple User Avatar plugin for WordPress contains an authorization bypass vulnerability through a user-controlled key. This allows exploiting incorrectly configured access control security levels.

CVE-2026-13595
Medium

A heap use-after-free vulnerability was found in the libblkid library of util-linux. During nested partition probing, a cached pointer to a parent partition entry becomes stale after array reallocation, allowing an attacker to read freed memory.

CVE-2026-13549
Medium

A security flaw in CodeAstro Complaint Management System 1.0 allows remote authorization bypass via the deletereport function in Report.php. The exploit is publicly available.

CVE-2026-13548
Medium

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the /doctortimings.php file. Remote attackers can manipulate the editid argument to inject SQL code. The exploit is publicly available.

CVE-2026-9676
Medium

The F4 Post Tree WordPress plugin before version 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

CVE-2026-13544
Medium

A vulnerability has been found in Feehi CMS up to version 2.1.1 in the file /api/users of the API component. Unknown functionality of this file causes improper access controls, allowing remote attacks. The exploit has been published and may be used.

CVE-2026-13543
Medium

A vulnerability was found in Documenso up to version 2.11.0 in the Google OAuth Login component. An unknown function in handle-oauth-callback-url.ts leads to improper authentication. The attack can be launched remotely but is difficult to exploit due to high complexity.

CVE-2026-13542
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /doctorprofile.php file. An attacker can remotely manipulate the doctorname argument, leading to SQL injection. The exploit has been publicly disclosed.

CVE-2026-13541
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the /doctorchangepassword.php file. Manipulating the newpassword argument allows remote exploitation. The exploit is publicly available, increasing the risk of attacks.

CVE-2026-13540
Medium

A server-side request forgery (SSRF) vulnerability has been discovered in GitBucket up to version 4.46.1 in the Git.cloneRepository.setURI function. Manipulating the url argument in RepositoryCreationService.scala allows remote exploitation. The exploit is public, and applying a patch is recommended.

CVE-2025-7386
Medium

Information exposure vulnerability in Hitachi Storage Navigator. This flaw affects multiple Hitachi Virtual Storage Platform models before specific DKCMAIN and SVP software versions.

CVE-2026-13538
MediumEPSS 67%

A command injection vulnerability was found in Wavlink WL-NU516U1-A firmware version M16U1_V240425. The issue is in the sub_401D68 function of the /cgi-bin/wireless.cgi file, where the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 parameters are improperly handled. Remote exploitation is possible, and the exploit has been publicly disclosed.

CVE-2026-13537
Medium

A cross-site request forgery (CSRF) vulnerability was found in CodeAstro Human Resource Management System 1.0. An unknown function allows remote attackers to perform unauthorized actions on behalf of an authenticated user. The exploit has been made public and could be used.

CVE-2026-13536
Medium

A cross-site scripting vulnerability was found in GotoHTTP up to version 10.2 in the /reg.12x file via the sn parameter. The attack can be performed remotely and the exploit details have been publicly disclosed.

CVE-2026-13535
Medium

A SQL injection vulnerability was found in CodeAstro Human Resource Management System 1.0 in the GetFileInfo function of Employee_model.php. Manipulating the ID argument in the view endpoint allows remote attack. The exploit has been published and may be used.

CVE-2026-13534
Medium

In CherryHQ cherry-studio up to version 1.9.7, a vulnerability was found in the sha256 function of the MemoryService.ts file in the CherryIN Preload API component. Manipulation of the state argument leads to authorization bypass.

CVE-2026-13533
Medium

A security vulnerability in Cockpit CMS up to version 0.12.2 affects the Spyc::YAMLLoad function in the /config/config.yaml file of the htaccess Handler component. This manipulation leads to unauthorized access to files or directories. The attack can be launched remotely and the exploit has been publicly disclosed.

CVE-2026-13532
Medium

A SQL injection vulnerability has been found in itsourcecode Hospital Management System 1.0 in the file /departmentDoctor.php. An attacker can remotely manipulate the deptid argument, leading to unauthorized database access. The exploit has been made public, increasing the risk of attacks.

PreviousPage 34 of 523Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS