CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
An Improper Input Validation vulnerability in UID Enterprise Agent allows a malicious actor with network access and low privileges to exploit it for Command Injection on the host device.
CVE-2026-47365 is an argument injection vulnerability in WordPress Toolkit before version 6.11.0, as used in cPanel and WHM. It allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.
ClipBucket v5 is an open source video sharing platform that was vulnerable to blind SQL injection in the actions/progress_video.php endpoint prior to version 5.5.3 - #129. Unauthenticated users could exploit the ids parameter to execute SQL queries and exfiltrate sensitive data.
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, the Remote Play feature allowed adding videos by importing an external URL, leading to arbitrary command execution due to improper URL handling.
The Hippoo Mobile App for WooCommerce has a vulnerability related to incorrect privilege assignment, allowing privilege escalation.
CVE-2026-42647 describes an improper neutralization of special elements used in SQL commands, leading to the possibility of Blind SQL Injection attacks in the Beardev JoomSport application.
The SQL Injection vulnerability in the Product Filter by WBW allows for Blind SQL Injection attacks. This issue affects versions from n/a through 3.1.2.
Inappropriate implementation in Headless in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Cloud Foundry UAA incorrectly treated XML encryption as a substitute for XML signatures in two SAML flows, potentially allowing unsigned assertions containing encrypted content to be accepted. This issue occurs when wantAssertionSigned is set to false.
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction.
In Duck Site before version 1.0.1, there is a vulnerability related to the deployment process that can be triggered by malicious code in a pull request. An attacker can exploit this flaw to deploy a malicious Docker image to production without merging the code.
Quest Bot is a modern Discord bot that prior to version 1.0.3 had a privileged deployment process. An attacker could exploit a pull request from the main branch, allowing the deployment of malicious code in a privileged context.
Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request, potentially leading to a bypass of identity verification.
A vulnerability in MariaDB Server allows execution of arbitrary shell commands embedded in the joiner node name when `wsrep_notify_cmd` is enabled. Affected versions range from 10.6.1 to 12.3.1.
The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees.
A vulnerability in Rotaban by Başarsoft Information Technologies Inc. allows unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server.
CVE-2026-38581 is an SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 that allows remote attackers to execute arbitrary SQL commands via the idFormMain and id parameters in the ezform.php file.
The LimRAD NAC system by Limatek System Inc. has a vulnerability allowing unrestricted upload of files with dangerous types, enabling Remote Code Inclusion.
CVE-2026-11561 describes an improper neutralization of special elements used in expression language statements, allowing for code injection in Apinizer software by Soagen Informatics Technologies Software and Consulting Inc.
CVE-2026-4764 describes a Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform. This allows an authenticated user with specific roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import.

