CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Version 4.0.409 of the remotion-dev remotion library has a vulnerability that allows for remote code execution (RCE).
Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.
CVE-2026-52704 describes an improper control of code generation vulnerability in WooCommerce PDF Invoice Builder, allowing for remote code inclusion. This issue affects versions from n/a through 2.0.8.
The WordPress Plugin Baggage Freight Shipping Australia version 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions, enabling remote code execution.
Responsive FileManager allows an unauthenticated attacker to upload files of any type and extension without restriction using the dialog.php endpoint, leading to Remote Code Execution.
CVE-2026-49757 is an authentication bypass vulnerability in AshAuthentication that allows local user account takeover via OAuth2/OIDC sign-in. The issue arises from using the email address as a unique identifier instead of the iss/sub combination from OpenID Connect.
The WP MAPS PRO WordPress plugin before version 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. A filename that begins or ends with a pipe or starts with a redirect can lead to command execution instead of file opening.
The Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials.
The Model Context Protocol has a security warning advising servers to validate the 'Origin' header on all incoming connections to prevent DNS rebinding attacks. In version 0.25.0, a new '--allowed-hosts' flag was introduced, allowing users to specify permitted hosts at server startup.
OpenClaw before version 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows for confusion in approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended.
ApostropheCMS is a Node.js content management system that, in versions up to 4.30.0, allows unauthorized modifications to object prototypes by authenticated editors. The use of the `$pullAll` operator enables writing arbitrary values to `Object.prototype`, leading to authorization bypass on all REST API endpoints.
Nezha Monitoring prior to version 2.0.13 has a vulnerability in the NoRoute handler in the dashboard that allows access to admin assets without authentication. By exploiting an incorrect URL prefix check, an attacker can access system files.
Nezha Monitoring versions from 1.4.0 to before 2.0.8 allow RoleMember users to create scheduled cron tasks that can execute arbitrary commands on servers, including those belonging to other users. This poses a risk of unauthorized access to systems.
A web page containing unusual WebGPU content can load it into the GPU GLES render process, leading to an out-of-bound write in the GPU user-space driver. This may result in memory corruption and possible browser/GPU process crash.
A vulnerability in sanitize-html prior to version 2.17.4 allows bypassing the HTML sanitization mechanism. An attacker can place malicious content inside a disallowed `xmp` element, which under the default configuration (`disallowedTagsMode: 'discard'`) is transformed into live HTML or JavaScript, leading to stored XSS.
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations, leading to request forgery and impersonation.
SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. Identity tokens submitted during login are accepted without verifying their cryptographic signature, allowing a remote, unauthenticated attacker to obtain a fully authenticated technician session.
A vulnerability in MariaDB on Windows with the CONNECT engine and REST support enabled allows shell command injection due to improper sanitization of the HTTP table attribute in the curl command line. Affected versions range from 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1.
Aqara Home on Android version 6.0.0 and white-label clients using the same liblumidevsdk.so library use hard-coded cryptographic keys. This is an instance of CWE-321: Use of Hard-coded Cryptographic Key.

