CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-54833
High

The Enable CORS plugin versions up to 2.0.3 contain an unauthenticated backdoor that can be exploited by an unauthorized attacker.

CVE-2026-54832
High

The vulnerability in the Gutenverse Companion plugin version 2.5.0 and earlier allows unauthenticated attackers to bypass access controls. This flaw results from improper permission verification, enabling unauthorized operations without required authentication.

CVE-2026-54826
High

The SupportCandy plugin version 3.4.6 and earlier contains an Insecure Direct Object References (IDOR) vulnerability for subscribers. This allows unauthorized access to other users' data.

CVE-2026-54824
High

The Ads by WPQuads plugin version 3.0.3 and earlier allows unauthenticated attackers to access sensitive data. This vulnerability is due to missing access controls on data stored by the plugin.

CVE-2026-45257
High

A vulnerability in the KTLS receive path decrypts data in place, allowing a local unprivileged user who can read a file to overwrite its contents by sending it over a loopback connection with KTLS receive enabled.

CVE-2026-30041
High

An integer overflow in the PSD parser component of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.

CVE-2025-68064
High

Local File Inclusion (LFI) vulnerability in Goya Core plugin versions prior to 1.0.9.4 allows a contributor to read arbitrary files on the server.

CVE-2025-68063
High

The Splash - Sport Club WordPress Theme for Basketball, Football, Hockey versions 4.4.3 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by contributors. This allows an attacker with contributor privileges to read sensitive files on the server.

CVE-2025-68052
High

The vulnerability allows an unauthenticated Cross-Site Request Forgery (CSRF) attack in Eagle Booking versions up to 1.3.4.3. An attacker can trick an administrator into performing unintended actions, such as changing settings or adding new users.

CVE-2026-57920
High

A vulnerability in Peplink InControl 2 up to version 2.14.2 before 2026-06-03 allows bypassing access-control rules for certain /rest/o/{orgId} endpoints by using a semicolon.

CVE-2026-57915
High

A vulnerability in Apache Kerby allows bypassing the Kerberos pre-authentication check by sending a PA-DATA with an unrecognized or unsupported type. An attacker can gain access without proper authentication.

CVE-2026-40711
High

An OS Command Injection vulnerability in Dell Container Storage Modules (csi-powerstore, csi-unity, csi-powerflex, csi-powermax version 2.16.0) allows a high-privileged attacker with remote access to execute arbitrary operating system commands.

CVE-2026-57918
High

A vulnerability in libnfs up to version 6.0.2 before commit 935b8db causes an integer underflow in the xid field in the READ_IOVEC function in lib/socket.c. The issue occurs when connecting to a crafted NFS server, where the expected PDU size exceeds the absolute PDU size from the xid/record-marker.

CVE-2026-57913
High

A vulnerability in Johnson & Johnson Audit Tracking Management System (ATMS) before April 21, 2026 allows unauthorized viewing of meeting minutes and transcripts.

CVE-2026-57912
High

The vulnerability in Johnson & Johnson Campus Recruiting before October 31, 2025 allows unauthorized viewing of data provided by recruited students and notes entered about students by interviewers.

CVE-2026-13325
High

A serious flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket.

CVE-2025-7958
High

A Code Injection vulnerability in Trellix Network Security CM and NX allows a locally authenticated admin user to execute arbitrary code using the web interface and Alert artifact details.

CVE-2026-11702
High

The Bytes::Random::Secure::Tiny library for Perl (versions up to 1.011) shares internal PRNG state across forked processes. If an object is initialized before forking, all child processes produce identical random streams.

CVE-2026-11625
High

The vulnerability in the Bytes::Random::Secure library for Perl up to version 0.29 causes the internal state of the PRNG to be shared across forked processes. When an object is initialized before forking or the functional interface is used, child processes produce identical random streams.

CVE-2026-57877
High

An unauthenticated format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling of externally controlled input during log message formatting in the login processing path. A remote attacker may exploit this vulnerability by sending crafted login data, potentially causing information disclosure, memory corruption, or a denial of service.

PreviousPage 47 of 3340Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS