CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-7859
Medium

The Motors WordPress plugin before version 1.4.110 lacks proper authorization and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image, and product prices on WooCommerce sites.

CVE-2026-4110
Medium

The ultimate-woocommerce-auction-pro plugin for WordPress up to version 2.4.5 does not sanitize and escape a parameter before outputting it back on the page, leading to a Reflected Cross-Site Scripting vulnerability. This could be exploited against high privilege users such as admins.

CVE-2026-10530
Medium

The Pie Register WordPress plugin before version 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox.

CVE-2026-11748
Medium

A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters.

CVE-2026-12822
Medium

In vulnerability CVE-2026-12822 in langflow-ai langflow up to version 1.9.3, a flaw was found in the Bundle URL Loader component. It allows code injection by a local attacker. The vendor did not respond to the disclosure.

CVE-2026-12821
Medium

A vulnerability CVE-2026-12821 was identified in FlowiseAI Flowise up to version 3.1.2, concerning an unknown function in the file packages/components/nodes/documentloaders/S3/S3.ts related to the S3 Document Loader component. Executing a manipulation can lead to path traversal.

CVE-2026-12815
MediumEPSS 63%

A vulnerability has been found in coollabsio coolify version 4.0.0, affecting an unknown function of the Image Name Handler component. Manipulation of this function leads to OS command injection.

CVE-2026-12814
MediumEPSS 64%

A flaw has been found in Comfast CF-WR631AX V3 up to version 2.7.0.8 affecting the system function of the file /cgi-bin/mbox-config?section=ping_config. Manipulation of the argument destination leads to remote OS command injection.

CVE-2026-12813
Medium

A vulnerability was detected in activepieces up to version 0.83.0, affecting the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the File URL Handler component. The manipulation results in server-side request forgery.

CVE-2026-12811
Medium

A weakness has been identified in kortix-ai suna up to version 0.8.38, affecting the function router.replace/router.push in the file apps/frontend/src/app/auth/page.tsx of the Auth Endpoint component. Manipulating the returnURL argument can lead to cross site scripting attacks.

CVE-2026-12810
MediumEPSS 63%

A security flaw has been discovered in Edimax BR-6478AC V2 version 1.23, affecting the function mp of the file /goform/mp. Manipulating the argument command results in command injection, which can be performed remotely.

CVE-2026-12809
MediumEPSS 63%

A vulnerability was identified in Edimax BR-6478AC V2 1.23, affecting the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect. Manipulation of the argument newpass leads to command injection.

CVE-2026-12808
MediumEPSS 64%

A vulnerability was identified in Edimax BR-6478AC V2 version 1.23 that affects the function stainfo in the file /goform/stainfo. Manipulation of the argument interface leads to command injection, which can be executed remotely.

CVE-2026-12807
MediumEPSS 64%

A vulnerability was found in Edimax BR-6478AC V2 1.23 affecting the setWAN function in the /goform/setWAN file. Manipulation of the pppUserName/pptpUserName/L2TPUserName arguments results in command injection.

CVE-2026-12805
Medium

A flaw has been found in OFFIS DCMTK up to version 3.7.0 in the function XMLNode::parseFile, which can lead to heap-based buffer overflow. The attack may be performed remotely.

CVE-2026-12804
Medium

A vulnerability was detected in lemonldap-ng up to version 2.23.0, affecting an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm. Manipulating the argument url results in an open redirect, which can be exploited remotely.

CVE-2026-56412
Medium

In libexpat before version 2.8.2, XML_TOK_DATA_CHARS is not considered in doCdataSection, leading to a lack of handler call depth tracking in cases of policy violation. This can result in a use-after-free error.

CVE-2026-56411
Medium

In libexpat before version 2.8.2, there is an integer overflow in the xmlwf function that can occur when processing NOTATION declarations in endDoctypeDecl.

CVE-2026-56410
Medium

In libexpat before version 2.8.2, there is an integer overflow in the resolveSystemId function, which may lead to unexpected application behavior.

CVE-2026-56409
Medium

In libexpat before version 2.8.2, there is an integer overflow for the output filename when the -d outputDir option is used.

PreviousPage 78 of 534Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS