CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The CheckView Automated Testing plugin version 2.1.0 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to testing features without authentication.
Missing Authorization in Royal Plugins Royal MCP allows exploiting incorrectly configured access control security levels. This issue affects Royal MCP from n/a through 1.4.25.
Versions of Vitepos up to 3.4.2 have a vulnerability that allows unauthorized access to sensitive data.
Versions of WC Vendors Marketplace up to 2.6.8 are vulnerable to SQL Injection attacks by subscribers.
The Five Star Restaurant Reservations plugin version 2.7.19 and earlier contains a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized access to reservation functions without required authentication.
CVE-2026-54829 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in the WP Photo Album Plus plugin.
Motors versions up to 1.4.109 have a vulnerability in access control that allows unauthorized access.
Subscriber SQL Injection vulnerability in SALESmanago and Leadoo versions up to 3.11.2 allows unauthorized access to the database through malicious SQL query injection.
The vulnerability in the Visual Link Preview plugin versions up to 2.3.1 allows sensitive subscriber data exposure. An attacker can access information that should be protected.
Dell Wyse Management Suite versions prior to WMS 5.5 HF1 contain a Path Traversal vulnerability. A high privileged attacker with remote access could exploit this to achieve Remote Code Execution.
In EmberZNet v9.0.2 and earlier, malformed ClearWeekdaySchedule messages can trigger out-of-bounds writes into Door Lock schedule state. Only devices that have already joined the network and support the Door Lock cluster may be impacted.
In EmberZNet v9.0.2 and earlier, malformed IAS Zone enrollment messages can trigger an out-of-bounds state-table write and terminate the process. The size and location of this write is limited.
In EmberZNet v9.0.2 and earlier, malformed OTA requests can drive the OTA server parser into out-of-bounds reads. A limited amount of data from RAM is read back to the requester.
The vulnerability in Dell Display and Peripheral Manager (DDPM) for macOS prior to version 2.3 is due to improper certificate validation. It allows a local attacker with low privileges to bypass protection mechanisms.
Dell Display and Peripheral Manager (DDPM) for Windows versions prior to 2.3 contain an Improper Access Control vulnerability. A low privileged attacker with local access could exploit this vulnerability to execute arbitrary code.
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys.
The MainWP Child plugin versions up to 6.1.1 contain a vulnerability allowing unauthenticated attackers to bypass access controls. This flaw enables unauthorized operations on the site without requiring authentication.
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
A vulnerability in Apache Shiro with the shiro-guice module in a web servlet context may lead to authentication bypass through a specially crafted HTTP request. This affects all Apache Shiro versions up to 2.x and 3.0.0-alpha-1 when using the shiro-guice module.
A vulnerability was found in the Linux kernel's KVM for ARM64, where page table walk functions for fault injection and AT emulation did not hold the SRCU lock. This could lead to a race condition with memslot changes, potentially destabilizing virtual machines.

