CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability affects a different executable than CVE-2025-71210.
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations.
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting.
A vulnerability was found in the Linux kernel's ipv6_rpl_srh_rcv() function handling the RPL Source Routing Header (RFC 6554). During decompression and recompression of the SRH, the header may grow, and insufficient headroom checking leads to an out-of-bounds write.
A heap-based buffer overflow in the comm_rcv() function of the CNID daemon in Netatalk versions 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service.
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated remote code execution via PHP function injection in versions up to and including 3.15.2. This is due to passing attacker-controlled values directly to `call_user_func()` without allowlist validation.
A missing authentication vulnerability exists in the Altium 365 SearchService, allowing attackers to access search index operations without authentication. This vulnerability enables interaction with a target workspace's search index, potentially disclosing sensitive information.
LiteSpeed User-End cPanel Plugin before version 2.4.5 allows privilege escalation, possibly to root. Exploitation was detected in the wild in May 2026.
Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. They use the built-in rand function, which is predictable and unsuitable for cryptography.
A potential vulnerability has been identified in HP Linux Imaging and Printing Software, involving an integer overflow in the hpcups processing path. This could allow privilege escalation or arbitrary code execution via crafted print data.
The Taiko AG1000-01A SMS Alert Gateway in versions 7.3 and 8 contains an authentication bypass vulnerability in the embedded web configuration interface, allowing unauthenticated attackers to access internal application pages without any session management or server-side authentication checks.
The Taiko AG1000-01A SMS Alert Gateway in versions Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface. Authentication is implemented entirely in client-side JavaScript, allowing attackers to recover administrative credentials.
A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. An authenticated user can supply a URL-encoded absolute path, allowing arbitrary files to be read from the server filesystem.
A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. An authenticated workspace user can supply a crafted filename to write arbitrary files to any location on the server filesystem.
A SQL Injection vulnerability in Drupal core is caused by improper neutralization of special elements used in SQL commands. This affects versions from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, and from 11.3.0 before 11.3.10.
The vulnerability in WP Swings Gift Cards For WooCommerce Pro allows unrestricted upload of files with dangerous types, enabling the use of malicious files.
Frappe Learning Management System (LMS) versions 2.50.0 and below allowed users with course editing roles to upload SCORM ZIP packages, enabling file writes outside the intended directory. This issue has been resolved in version 2.50.1.
XWiki Platform versions from 15.10.6 to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 have a vulnerability that allows XAR import without authentication or authorization checks. This enables an unauthenticated attacker to create or update documents in the target wiki.
XWiki Platform versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files via Path Traversal. This can be exploited by manipulating the resource parameter in the ssx and jsx endpoints.
A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload allows an unauthenticated, remote attacker to access site resources with Site Admin privileges. This is due to insufficient validation and authentication when accessing REST API endpoints.

