CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
The WordPress Plugin WP Super Edit version 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component, allowing attackers to upload dangerous file types without validation.
A vulnerability in Traefik allows a user with HTTPRoute creation permissions in the Kubernetes Gateway API provider to bypass the providers.rest.insecure=false setting and access the REST provider handler. By referencing a TraefikService backend whose name ends with @internal, traffic can be routed to rest@internal, enabling unauthorized reconfiguration of routers and services in shared Gateway deployments.
The MCP Calculate Server, based on the MCP protocol and SymPy library, prior to version 0.1.1, used eval() to evaluate mathematical expressions without proper input sanitization, leading to remote code execution.
LibJWT is a C library for handling JSON Web Tokens. From versions 3.0.0 to 3.3.2, libjwt accepts an RSA JWK without the alg parameter as the verification key for HS256/HS384/HS512 tokens, allowing an attacker to forge a valid JWT without knowing any secret or RSA private key.
In Magento Long Term Support (LTS) versions prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated time-based method, leading to low entropy levels. This violates OWASP ASVS and NIST standards, allowing attackers to perform brute-force attacks on active API sessions.
In OpenMRS, from version 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method evaluates database-stored criteria as Apache Velocity templates without proper sandbox configuration. This allows unrestricted Java reflection through template expressions.
Turborepo, a build system for JavaScript and TypeScript codebases, is vulnerable to arbitrary code execution in versions from 1.1.0 to before 2.9.14 when run in untrusted repositories containing malicious Yarn configuration. Package manager detection executes yarn --version, which could lead to loading and executing code from .yarnrc.yml controlled by an attacker.
CVE-2026-2031 describes an improper access control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to January 23, 2026. This allows a remote, unauthenticated attacker to disclose sensitive information and execute arbitrary code using specially crafted HTTP requests.
The diagram's export module is vulnerable to Path Traversal in the src attribute due to lack of HTML sanitization. An unauthenticated user could craft an HTML payload that could include local files from the server and display them in the generated PDF.
The PDF Export Module used in DHTMLX's Gantt and Scheduler products is vulnerable to Remote Code Execution due to lack of 'data' parameter sanitization. An unauthenticated attacker can inject malicious JavaScript code that is processed by Node.js and subsequently executed on the server.
A supply chain attack compromised the official installation packages of DAEMON Tools Lite in versions 12.5.0.2421 to 12.5.0.2434, distributed from the legitimate website daemon-tools.cc between April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's build or distribution infrastructure and trojanized three binaries.
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to 1.1.10. The issue arises from the plugin trusting user-controlled cookie data, allowing unauthenticated access to user accounts.
Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability.
HRConvert2 prior to version 3.3.8 has a vulnerability in the sanitizeString() function that does not remove backtick (`) and tab ( ) characters. As a result, user input can reach shell_exec(), allowing commands within filenames to be executed.
In PrestaShop, prior to versions 8.2.6 and 9.1.1, there is a Cross-Site Scripting (XSS) vulnerability in the back-office Customer Service view. An unauthenticated attacker can submit a malicious email address through the Contact Us form, leading to session hijacking and full back-office takeover.
Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment.
Use after free in Mojo in Google Chrome prior to version 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
Use after free in UI in Google Chrome prior to version 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
In Fleet software, prior to version 4.81.0, a vulnerability in the installation process could allow arbitrary commands to be executed as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. A specially crafted software package could lead to unintended command execution.
SiYuan is a knowledge management system that prior to version 3.7.0 did not properly HTML escape names and versions in plugin.json files. As a result, malicious HTML could be executed in the user interface when a user opened the marketplace tab.

