CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-45898
Critical

In the Linux kernel RDMA/iwcm subsystem, a vulnerability causes workqueue list corruption. The issue stems from the incorrect assumption that queue_work() would not enqueue work if already pending, while each free list entry is unique. This leads to processing multiple entries in a single run, freeing and reusing them, resulting in list corruption and kernel panic.

CVE-2026-35090
Critical

In Slican telephone exchanges, it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID, allowing them to bypass admin authentication and gain full access to the service protocol and configuration panel.

CVE-2026-35087
Critical

Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command.

CVE-2026-42761
Critical

CVE-2026-42761 describes an improper neutralization of special elements used in SQL commands, allowing for Blind SQL Injection in the Active Products Tables for WooCommerce plugin in versions from n/a to 1.0.9.

CVE-2026-42758
Critical

CVE-2026-42758 describes an incorrect privilege assignment vulnerability in WebinarIgnition that allows privilege escalation. This issue affects WebinarIgnition from n/a through below 4.08.253.

CVE-2026-42757
Critical

CVE-2026-42757 describes an improper limitation of a pathname to a restricted directory, leading to a 'Path Traversal' vulnerability in the WebinarIgnition application. This issue affects versions from n/a to below 4.08.253.

CVE-2026-42756
Critical

The 'Path Traversal' vulnerability in Ludwig You QuickWebP has an improper limitation of a pathname to a restricted directory, allowing unauthorized access to files. This issue affects QuickWebP versions from n/a through 3.2.7.

CVE-2026-42755
Critical

CVE-2026-42755 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in RealMag777 TableOn versions from n/a to 1.0.5.1.

CVE-2026-42748
Critical

The vulnerability in WPify Woo Czech allows unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This issue affects WPify Woo Czech from n/a through 5.4.1.

CVE-2026-42747
Critical

CVE-2026-42747 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in Easy Form Builder. This issue affects versions from n/a through 4.0.6.

CVE-2026-42740
Critical

CVE-2026-42740 describes an improper neutralization of special elements used in SQL commands, leading to a Blind SQL Injection vulnerability in the Tainacan system. This issue affects Tainacan versions from n/a through 1.0.3.

CVE-2026-42731
Critical

CVE-2026-42731 describes an incorrect privilege assignment vulnerability in miniOrange OTP Verification that allows privilege escalation. This issue affects versions from n/a through 5.4.9 inclusive.

CVE-2026-42727
Critical

CVE-2026-42727 describes an improper neutralization of special elements used in SQL commands, allowing for Blind SQL Injection in the Active Products Tables for WooCommerce plugin in versions from n/a to 1.0.8.

CVE-2026-8054
Critical

In dotCMS Core versions 25.11.04-1 through 26.04.28-02, there is an SQL Injection vulnerability in the Publish Audit API endpoints, allowing remote unauthenticated attackers to read, modify, or destroy arbitrary database content.

CVE-2026-49002
Critical

Access control failure allows unauthorized users to access system data, including viewing and modifying configuration information.

CVE-2025-12686
Critical

W podatności CVE-2025-12686 występuje błąd przepełnienia bufora w AdminCenter systemu operacyjnego Synology BeeStation przed wersją 1.3.2-65648. Umożliwia on zdalnym atakującym wykonanie dowolnego kodu poprzez nieokreślone wektory.

CVE-2026-8760
Critical

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to and including 1.6. This is due to an incomplete fix for CVE-2024-11178, allowing attackers to brute-force the 6-digit OTP without a time limit.

CVE-2026-8450
CriticalEPSS 65%

A vulnerability in the HTTP::Daemon library for Perl before version 6.17 allows OS command injection via the send_file() function. The function opens its argument using Perl's 2-arg open(), which interprets magic prefixes like '| cmd' as a pipe to a subprocess, enabling arbitrary command execution.

CVE-2026-44985
Critical

Dozzle to narzędzie do podglądu logów w czasie rzeczywistym dla kontenerów Docker. W wersjach przed 10.5.2, mechanizm aktualizacji WebSocket dla punktów końcowych /exec i /attach akceptował żądania z dowolnego źródła, co prowadziło do możliwości przejęcia WebSocketów (CSWSH) przy użyciu ważnych ciasteczek JWT.

CVE-2026-44895
Critical

Serwer GitLab MCP pozwala agentowi AI na bezpośrednią komunikację z GitLabem. W wersjach przed 0.6.0 transport HTTP nie zawierał warstwy uwierzytelniającej oraz miał wildcard Access-Control-Allow-Origin: * w każdej odpowiedzi, co stwarzało poważne luki w zabezpieczeniach.

PreviousPage 60 of 554Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS