CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Versions of Datalogics Ecommerce Delivery up to 2.6.62 contain a vulnerability that allows unauthenticated privilege escalation.
There is an unauthenticated SQL injection vulnerability in SpeakOut! Email Petitions versions up to 4.6.5.
GeekyBot versions up to 1.2.0 are vulnerable to unauthenticated SQL injection, which may lead to unauthorized access to the database.
GeoDirectory versions up to 2.8.152 are vulnerable to unauthenticated SQL injection.
There is an unauthenticated SQL injection vulnerability in WP Photo Album Plus versions up to 9.1.08.001.
There is an unauthenticated SQL injection vulnerability in Form Maker by 10Web versions up to 1.15.38.
There is an unauthenticated SQL injection vulnerability in Simply Schedule Appointments versions up to 1.6.9.27.
There is an unauthenticated SQL injection vulnerability in WP Maps versions up to 4.9.1.
There is a remote code execution (RCE) vulnerability in Responsive Slider by MetaSlider versions up to 3.106.0. An attacker can exploit this flaw to execute arbitrary code on the server.
In Free <= 5.3 versions of the Feed KuantoKusta plugin for WooCommerce, there is an unauthenticated SQL injection vulnerability.
iControlWP versions up to 5.5.3 contain a vulnerability that allows unauthenticated privilege escalation.
In Broadcast Live Video versions below 7.1.3, there is a vulnerability to unauthenticated PHP object injection.
In version 4.6.0 of the grocy application, a SQL injection vulnerability was discovered in the product-group parameter at /stockreports/spendings. This allows attackers to access sensitive database information via a crafted SQL statement.
In version 5.0.1 of shlink, there is a Server-Side Request Forgery (SSRF) vulnerability in the automatic short URL title resolution component, allowing attackers to scan internal resources by supplying a crafted longUrl.
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.
Version 5.5.4 of flatnotes contains a vulnerability that allows arbitrary file uploads in the attachment handling component. Attackers can exploit this flaw to execute arbitrary code by uploading a crafted HTML or SVG file.
An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.
CVE-2026-50871 describes a vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 that allows attackers to execute arbitrary commands by supplying crafted input.

