CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Version 3.19.0 of Bludit contains a vulnerability in the api/plugin.php component that allows attackers to execute a directory traversal by supplying a crafted request.
Discuz! X5.0 versions from 20260320 to 20260501 contain an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality. By exploiting a shared cryptographic key, attackers can inject crafted payloads through the username parameter during login.
Metacat is data repository software that contains an unauthenticated SQL injection vulnerability in the /harvesterRegistration endpoint in versions 2.0.0 and above. Exploiting this vulnerability allows full read/write/execute access in the Metacat database context.
In OCaml-tar before version 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. Although tar(1) rejects such extractions, ocaml-tar decompresses it anyway.
In OCaml-TLS before version 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, allowing impersonation with certificates not meant for server authentication.
Version 0.54.0 of Datadog, Inc's Vector was found to contain a SQL injection vulnerability in the set_uri_query parameter of the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.
An issue in SNMP4J-Agent version 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.
Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation.
Tenda 5G03 version V05.03.02.04 (version 1.0) is vulnerable to command injection in the action_ims_on_with_apn function via the ims_apn parameter.
Tenda 5G03 version 5.03.02.04 (version 1.0) is vulnerable to command injection in the action_dial_call function via the dialNumber parameter.
Tenda 5G03 version 5.03.02.04 (version 1.0) is vulnerable to command injection in the action_radio_on_with_ia_apn function via the ia parameter.
Tenda 5G03 version V05.03.02.04 (version 1.0) is vulnerable to command injection in the action_set_rat_mode function via the ratMode parameter.
Tenda 5G03 version 5.03.02.04 (version 1.0) is vulnerable to command injection in the action_set_volume function via the volume parameter.
Tenda 5G03 version V05.03.02.04 (version 1.0) is vulnerable to command injection in the action_unlock_sim function via the pin parameter.
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint.
Version 4.0.409 of the remotion-dev remotion library was found to contain an arbitrary file write vulnerability.
Version 4.0.409 of the remotion-dev remotion library has a vulnerability that allows for remote code execution (RCE).
Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.
CVE-2026-52704 describes an improper control of code generation vulnerability in WooCommerce PDF Invoice Builder, allowing for remote code inclusion. This issue affects versions from n/a through 2.0.8.

