CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2025-66123
Medium

An Insecure Direct Object References (IDOR) vulnerability in BookPro version 1.1.0 and earlier allows an unauthenticated attacker to access resources they should not have permission to. The issue stems from a lack of authorization checks when directly referencing objects.

CVE-2025-64637
Medium

In Auros Core versions up to and including 5.3.1, there is an unauthenticated content injection vulnerability. An attacker without authentication can modify application content.

CVE-2025-64636
Medium

The Donation Thermometer plugin versions up to 2.2.7 contain an unauthenticated broken access control vulnerability. An attacker without authentication can gain unauthorized access to plugin functions.

CVE-2025-63079
Medium

The Live Copy Paste for Elementor plugin in versions 1.5.3 and below contains a vulnerability due to improper access control for contributors. This allows users with the contributor role to perform unauthorized actions.

CVE-2025-63078
Medium

The Restaurant Menu by MotoPress plugin in versions 2.4.11 and earlier contains a vulnerability related to broken access control by subscribers. Users with the subscriber role can gain unauthorized access to restaurant menu management functions.

CVE-2025-63041
Medium

The Forget About Shortcode Buttons plugin in versions 2.1.3 and below contains a vulnerability due to improper access control for contributors. A user with the contributor role can gain unauthorized access to functions that should be reserved for higher roles.

CVE-2026-57925
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags.

CVE-2026-57924
Medium

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details.

CVE-2026-57923
Medium

In JetBrains YouTrack before 2026.2.16593, improper authorization in the app configurations endpoint allowed unauthorized modification of project settings.

CVE-2026-57921
Medium

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint.

CVE-2026-53914
Medium

In JetBrains Kotlin before version 2.4.20, a vulnerability was found that allows code execution via unsafe deserialization in the build cache metadata.

CVE-2026-13426
Medium

The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components.

CVE-2026-57914
Medium

Sending a deeply nested ASN1 structure to an Apache Kerby client or service can trigger a StackOverFlow exception, leading to denial of service (DoS).

CVE-2026-57620
Medium

The Exclusive Addons Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper input neutralization during page generation. The flaw affects all versions up to and including 2.7.9.8.

CVE-2026-57473
Medium

A vulnerability in the netclient and factory services of Reolink Home Hub (versions prior to v3.3.0.456_26031911) allows brute-force credential cracking. Attackers on the same local network can intercept traffic between the Hub and cameras and compromise camera credentials.

CVE-2026-6658
Medium

A vulnerability in jupyter/nbconvert versions up to 7.17.0 allows Cross-site Scripting (XSS) via unsanitized `text/vnd.mermaid` output in HTML exports. The `data_mermaid` block in `share/templates/lab/base.html.j2` renders `text/vnd.mermaid` cell output directly into HTML without escaping, enabling attackers to inject arbitrary HTML/JavaScript by breaking out of the `<pre>` tag.

CVE-2026-1869
Medium

The User Registration & Membership plugin for WordPress up to version 5.2.0 contains a vulnerability due to missing validation in the confirm_payment() function. This allows unauthenticated attackers to bypass payment processing and activate paid memberships.

CVE-2026-8380
Medium

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the 'Allow guest uploads' setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users.

CVE-2025-10268
Medium

The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through version 2.4.8 contains a path traversal vulnerability, allowing an attacker to retrieve directory listings for arbitrary directories on the server.

CVE-2026-8661
Medium

Server-Side Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux. A remote attacker can execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted content embedded in Markdown input. The PDF rendering engine does not restrict script execution or outbound network access.

PreviousPage 38 of 519Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS