CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-50869
Critical

Version 3.19.0 of Bludit contains a vulnerability in the api/plugin.php component that allows attackers to execute a directory traversal by supplying a crafted request.

CVE-2026-49952
Critical

Discuz! X5.0 versions from 20260320 to 20260501 contain an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to database backup and restore functionality. By exploiting a shared cryptographic key, attackers can inject crafted payloads through the username parameter during login.

CVE-2026-48114
Critical

Metacat is data repository software that contains an unauthenticated SQL injection vulnerability in the /harvesterRegistration endpoint in versions 2.0.0 and above. Exploiting this vulnerability allows full read/write/execute access in the Metacat database context.

CVE-2026-45390
Critical

In OCaml-tar before version 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. Although tar(1) rejects such extractions, ocaml-tar decompresses it anyway.

CVE-2026-45388
Critical

In OCaml-TLS before version 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, allowing impersonation with certificates not meant for server authentication.

CVE-2026-39196
Critical

Version 0.54.0 of Datadog, Inc's Vector was found to contain a SQL injection vulnerability in the set_uri_query parameter of the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.

CVE-2026-39006
Critical

An issue in SNMP4J-Agent version 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.

CVE-2026-38812
Critical

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.

CVE-2026-38329
Critical

Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation.

CVE-2026-38065
Critical

Tenda 5G03 version V05.03.02.04 (version 1.0) is vulnerable to command injection in the action_ims_on_with_apn function via the ims_apn parameter.

CVE-2026-38064
Critical

Tenda 5G03 version 5.03.02.04 (version 1.0) is vulnerable to command injection in the action_dial_call function via the dialNumber parameter.

CVE-2026-38063
Critical

Tenda 5G03 version 5.03.02.04 (version 1.0) is vulnerable to command injection in the action_radio_on_with_ia_apn function via the ia parameter.

CVE-2026-38062
Critical

Tenda 5G03 version V05.03.02.04 (version 1.0) is vulnerable to command injection in the action_set_rat_mode function via the ratMode parameter.

CVE-2026-38061
Critical

Tenda 5G03 version 5.03.02.04 (version 1.0) is vulnerable to command injection in the action_set_volume function via the volume parameter.

CVE-2026-38060
Critical

Tenda 5G03 version V05.03.02.04 (version 1.0) is vulnerable to command injection in the action_unlock_sim function via the pin parameter.

CVE-2026-36537
Critical

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint.

CVE-2026-30121
Critical

Version 4.0.409 of the remotion-dev remotion library was found to contain an arbitrary file write vulnerability.

CVE-2026-30120
CriticalEPSS 52%

Version 4.0.409 of the remotion-dev remotion library has a vulnerability that allows for remote code execution (RCE).

CVE-2026-9862
CriticalEPSS 53%

Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd service. A remote attacker with network access to the service may be able to cause commands to be executed with the privileges of the service during the autoregistration processing.

CVE-2026-52704
Critical

CVE-2026-52704 describes an improper control of code generation vulnerability in WooCommerce PDF Invoice Builder, allowing for remote code inclusion. This issue affects versions from n/a through 2.0.8.

PreviousPage 40 of 556Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS