CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
The vulnerability in PACSgear MediaWriter 5.2.1 is due to missing authentication in the .NET Remoting TCP service on port 9000. An unauthenticated attacker can remotely read and write arbitrary files on the host filesystem and then exploit missing DLLs to achieve remote code execution as SYSTEM.
PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\SYSTEM upon service restart.
Control Web Panel before version 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.
The NVIDIA AIStore framework contains a vulnerability that allows authentication bypass. Successful exploitation could lead to denial of service, privilege escalation, information disclosure, and data tampering.
A vulnerability in the command interface of NVIDIA ConnectX and BlueField allows a local user with virtual function (VF) access to cause an out-of-bounds write via crafted input. Successful exploitation may lead to arbitrary code execution on the device.
A vulnerability in the command interface of NVIDIA ConnectX and BlueField allows a local user with virtual function (VF) access to cause a write out of bounds via crafted input. Successful exploitation may lead to arbitrary code execution on the device.
A vulnerability in HTML::Gumbo for Perl before version 0.19 discloses heap memory via type confusion. The walk_tree function does not support the <template> element, treating it as a text node, causing strlen() to over-read the heap block.
A vulnerability in the Feast Feature Server's `/save-document` endpoint allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although file location restrictions are attempted, they can be bypassed, enabling overwriting of critical application configurations or startup scripts.
The PrivateContent WordPress plugin contains an incorrect privilege assignment vulnerability that allows privilege escalation. This issue affects versions from n/a through 9.9.2.
The pretix-oppwa plugin insecurely concatenated the resourcePath parameter with the API URL, allowing an attacker to redirect requests to their own server and steal the Oppwa access token. The vulnerability is fixed by strictly validating API URLs.
A vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 causes a mismatch in handling encoded slashes (%2F) between the middleware and Fastify's router. An attacker can bypass middleware used for authentication, authorization, rate limiting, or auditing by sending a crafted request with an encoded slash in the parameter position.
The SMS Alert plugin for WordPress up to version 3.9.5 allows unauthenticated attackers to take over administrator accounts by changing the email address and resetting the password. This vulnerability is exploitable only when OTP verification for password resets is enabled and the administrator has a phone number set.
A vulnerability in Control-M/Server communication allows an unauthenticated attacker to execute unauthorized commands due to insufficient input filtering. The issue affects versions 9.0.20.x through 9.0.21.200 and potentially earlier unsupported versions.
UltraVNC repeater up to version 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.
UltraVNC repeater up to version 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. On first run, when settings2.txt is absent, it writes the password "adminadmi2" for the admin user. The Basic-auth handler lacks rate-limiting or lockout, allowing a remote attacker to easily gain full control of the repeater configuration.
The WP-BusinessDirectory plugin for WordPress up to version 4.0.1 contains an unauthenticated arbitrary file deletion vulnerability. Insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class allows an attacker to manipulate the _filename parameter and delete critical server files.
Grav CMS before version 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session deserialize untrusted data without class restrictions, enabling PHP object injection and, via a gadget chain, arbitrary code execution. Additionally, InstallCommand's git clone operation does not escape branch, url, and path parameters, allowing OS command injection during plugin/theme installation (requires admin access). A Twig security blocklist bypass (server-side template injection) is also present.
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges.
A command injection vulnerability in the ms_service.pl service of Storage Concentrator (SC & SCVM) allows an unauthenticated remote attacker to execute arbitrary commands with root privileges by sending a specially crafted packet to the default TCP port 9000.
Flowise before version 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set. Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

