CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-8598
Critical

An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials.

CVE-2026-8467
Critical

CVE-2026-8467 allows unauthenticated remote code execution in the phenixdigital phoenix_storybook application due to unsanitized attribute value interpolation in HEEx template generation.

CVE-2026-22314
Critical

CVE-2026-22314 describes an improper control of code generation vulnerability that allows code execution on other users' systems in the Mesalvo Meona Client Launcher and Meona Server components.

CVE-2026-33278
CriticalEPSS 66%

In Unbound 1.19.1 up to 1.25.0, a vulnerability in the DNSSEC validator allows denial of service and potential remote code execution. The bug occurs due to improper deep copying of a data structure, overwriting the destination pointer with the source pointer. After sub-query memory is freed, the resumed validator dereferences a dangling pointer, causing a crash or potentially enabling arbitrary code execution.

CVE-2026-9065
Critical

SureCart versions prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters on the REST API endpoint '/surecart/v1/integrations/{id}'. The issue stems from a flawed escaping bypass in the query builder.

CVE-2026-9059
Critical

NextGEN Gallery versions prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The issue stems from an insufficient sanitization function in the data mapper layer.

CVE-2026-7637
Critical

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This allows unauthenticated attackers to inject a PHP Object.

CVE-2026-24207
Critical

NVIDIA Triton Inference Server contains a vulnerability that allows an attacker to bypass authentication. A successful exploit may lead to code execution, privilege escalation, data tampering, denial of service, or information disclosure.

CVE-2026-7284
Critical

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to and including 1.4.4. The 'easyel_handle_register' function does not restrict user roles, allowing unauthenticated attackers to assign the 'administrator' role during registration.

CVE-2026-6555
CriticalEPSS 58%

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory.

CVE-2026-8495
Critical

A missing authorization vulnerability in Drupal Date iCal allows for forceful browsing.

CVE-2026-34234
Critical

CtrlPanel is open-source billing software for hosting providers, which in versions 1.1.1 and prior is vulnerable to unauthenticated Remote Code Execution (RCE) due to improper install.lock checking. This allows an attacker to execute arbitrary commands on the server.

CVE-2026-33642
Critical

In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets, potentially leading to Heap Buffer Over-Read/Write. An attacker can exploit this by supplying crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access.

CVE-2026-8605
Critical

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

CVE-2026-8603
Critical

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

CVE-2026-8602
Critical

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

CVE-2026-36829
Critical

CVE-2026-36829 describes an authentication bypass vulnerability in the embedded HTTP server of the Panabit PAP-XM320 device up to and including version 7.7. The server validates session cookies based on a user-controlled value, allowing for directory traversal and bypassing authentication.

CVE-2026-37281
Critical

CVE-2026-37281 describes an OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before version 2.7.0, allowing remote attackers to execute arbitrary commands via the url parameter.

CVE-2026-31072
CriticalEPSS 52%

The vulnerability in APScheduler allows Remote Code Execution (RCE) via insecure deserialization in JSONSerializer and CBORSerializer classes. The unmarshal_object function enables arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment.

CVE-2026-31071
Critical

The API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. This allows unauthenticated remote attackers to leak all user records and modify drug inventory.

PreviousPage 70 of 558Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS