CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2025-71211
Critical

A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability affects a different executable than CVE-2025-71210.

CVE-2025-71210
Critical

A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations.

CVE-2026-5118
Critical

The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting.

CVE-2026-43501
Critical

A vulnerability was found in the Linux kernel's ipv6_rpl_srh_rcv() function handling the RPL Source Routing Header (RFC 6554). During decompression and recompression of the SRH, the header may grow, and insufficient headroom checking leads to an out-of-bounds write.

CVE-2026-44050
Critical

A heap-based buffer overflow in the comm_rcv() function of the CNID daemon in Netatalk versions 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service.

CVE-2026-6279
Critical

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated remote code execution via PHP function injection in versions up to and including 3.15.2. This is due to passing attacker-controlled values directly to `call_user_func()` without allowlist validation.

CVE-2026-9152
Critical

A missing authentication vulnerability exists in the Altium 365 SearchService, allowing attackers to access search index operations without authentication. This vulnerability enables interaction with a target workspace's search index, potentially disclosing sensitive information.

CVE-2026-48172
Critical

LiteSpeed User-End cPanel Plugin before version 2.4.5 allows privilege escalation, possibly to root. Exploitation was detected in the wild in May 2026.

CVE-2026-47372
Critical

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. They use the built-in rand function, which is predictable and unsuitable for cryptography.

CVE-2026-8631
CriticalEPSS 68%

A potential vulnerability has been identified in HP Linux Imaging and Printing Software, involving an integer overflow in the hpcups processing path. This could allow privilege escalation or arbitrary code execution via crafted print data.

CVE-2026-9141
Critical

The Taiko AG1000-01A SMS Alert Gateway in versions 7.3 and 8 contains an authentication bypass vulnerability in the embedded web configuration interface, allowing unauthenticated attackers to access internal application pages without any session management or server-side authentication checks.

CVE-2026-9139
Critical

The Taiko AG1000-01A SMS Alert Gateway in versions Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface. Authentication is implemented entirely in client-side JavaScript, allowing attackers to recover administrative credentials.

CVE-2026-9129
Critical

A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. An authenticated user can supply a URL-encoded absolute path, allowing arbitrary files to be read from the server filesystem.

CVE-2026-9102
Critical

A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. An authenticated workspace user can supply a crafted filename to write arbitrary files to any location on the server filesystem.

CVE-2026-9082
Critical

A SQL Injection vulnerability in Drupal core is caused by improper neutralization of special elements used in SQL commands. This affects versions from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, and from 11.3.0 before 11.3.10.

CVE-2026-45444
Critical

The vulnerability in WP Swings Gift Cards For WooCommerce Pro allows unrestricted upload of files with dangerous types, enabling the use of malicious files.

CVE-2026-39405
Critical

Frappe Learning Management System (LMS) versions 2.50.0 and below allowed users with course editing roles to upload SCORM ZIP packages, enabling file writes outside the intended directory. This issue has been resolved in version 2.50.1.

CVE-2026-33137
Critical

XWiki Platform versions from 15.10.6 to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 have a vulnerability that allows XAR import without authentication or authorization checks. This enables an unauthenticated attacker to create or update documents in the target wiki.

CVE-2026-23734
Critical

XWiki Platform versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files via Path Traversal. This can be exploited by manipulating the resource parameter in the ssx and jsx endpoints.

CVE-2026-20223
CriticalEPSS 55%

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload allows an unauthenticated, remote attacker to access site resources with Site Admin privileges. This is due to insufficient validation and authentication when accessing REST API endpoints.

PreviousPage 69 of 558Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS