CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-14754
High

A SQL injection vulnerability has been found in Hotel and Tourism Reservation 1.0 in the file /admin/add_room.php. Manipulating the arguments delete_image, edit, description, number, price, rooms, or type can lead to SQL injection. The attack can be launched remotely, and the exploit has been published.

CVE-2026-14753
High

A vulnerability was found in the Note Handler/Assignment Handler component of stumasy up to commit 327d1b0f, allowing authorization bypass via manipulation of the assignment_item_id argument in /PHP/objects/notes. The attack is remotely exploitable and the exploit is public.

CVE-2026-14752
Low

A security vulnerability has been detected in mjperpinosa stumasy up to version 327d1b0f2915ba79d7ef8ebb74553e987609d9be. It affects the add_definition function in application/PHP/objects/notes/add_into_dictionary.php, where manipulation of the reference argument leads to cross-site scripting. The attack can be launched remotely and the exploit has been publicly disclosed.

CVE-2026-14751
Medium

A SQL injection vulnerability was found in mjperpinosa stumasy up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be in the Notes_controller::search_scratch_data function. The attack can be performed remotely by manipulating the field_name argument. The exploit has been publicly released, increasing the risk of exploitation.

CVE-2026-14750
High

A SQL Injection vulnerability was discovered in mjperpinosa stumasy up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, in the Notes_controller::accessing_dictionary_authorization function. The attack is remotely exploitable via the Password argument. The exploit has been publicly released, increasing the risk of attacks.

CVE-2026-59509
Critical

An unauthenticated improper input validation vulnerability exists in the POST /fetch_cve_data endpoint of cve-search. A remote attacker can manipulate request parameters to read arbitrary application MongoDB collections, including administrative usernames and password hashes.

CVE-2026-14749
High

A vulnerability was found in mjperpinosa stumasy up to version 327d1b0f2915ba79d7ef8ebb74553e987609d9be in the eval function of application/pages/imba_calculator/calculate.php. Manipulating the mathematical_sentence argument allows remote code injection. The exploit is publicly available and may be used.

CVE-2026-14748
Medium

A server-side request forgery (SSRF) vulnerability has been found in the mcp-wiki/wiki-summary component of AIAnytime Awesome-MCP-Server up to commit a884bb51bcd99e08e14fd712c749d55d9d9a13ab. The attack is performed by manipulating the url argument in mcp-wiki/src/mcp_wiki/server.py and can be initiated remotely. The exploit has been published, and the project has not responded to the issue report.

CVE-2026-14747
High

A SQL Injection vulnerability was found in Real State Services 1.0 in the /addprojectsale.php file. An attacker can remotely manipulate the amen argument, leading to SQL injection.

CVE-2026-14746
High

A SQL injection vulnerability has been detected in code-projects Real State Services 1.0 in the /addprojectrent.php file. An attacker can remotely manipulate the amen argument, leading to SQL injection. The exploit has been publicly disclosed.

CVE-2026-14745
High

A SQL injection vulnerability has been found in Real State Services 1.0 in the /single-list_rent.php file via the ID argument. The attack can be performed remotely and the exploit has been made public.

CVE-2026-14744
High

A SQL injection vulnerability has been discovered in code-projects Real State Services 1.0 in the file /normalHomeRent.php. An attacker can remotely manipulate the loc argument, leading to unauthorized database access. The exploit has been publicly released, increasing the risk of attacks.

CVE-2026-14743
High

A SQL injection vulnerability was found in Real State Services 1.0 in the file /normalHomeSale.php. An attacker can remotely manipulate the 'loc' argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-14742
Low

A vulnerability was found in langgraph library from langchain-ai up to version 1.2.4 in the _freeze function of _cache.py, where the default_cache_key argument causes use of a weak hash function. The attack can be carried out remotely but is difficult to exploit.

CVE-2026-14738
Low

A weak hash function was found in the Vision Feature Cache component of exo-explore exo up to version 1.0.71, specifically in the _image_cache_key function. The vulnerability allows remote attacks but is difficult to exploit due to high complexity. A public exploit is available, and a fix is pending acceptance.

CVE-2026-14737
High

A SQL injection vulnerability was found in Hanwang e-Face General Management Platform 6.3.5.4 in the file /sysAuthStr/querySysAuthStr.do. An attacker can remotely manipulate the order argument, leading to SQL injection. The exploit is publicly available.

CVE-2026-14736
High

A vulnerability was found in Ruijie RG-UAC up to version 1.0-R1.8.2.p5 in the file user_auth_commit.php. An unknown function allows unrestricted file upload via manipulation of the upload_image argument. The attack can be carried out remotely and the exploit has been made public.

CVE-2026-14735
High

A SQL injection vulnerability has been found in Smart Parking System 1.0 in the file /parkings/parkings.php. An unknown function allows manipulation of the street, city, or status arguments, enabling remote SQL injection. The exploit has been publicly disclosed.

CVE-2026-14734
High

A SQL injection vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0 in the /edit_product.php file via the ID argument. The attack can be performed remotely and the exploit has been published.

CVE-2026-14733
High

A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the file /edit_coursea.php. An attacker can remotely manipulate the ID argument, leading to SQL injection. The exploit is publicly available.

PreviousPage 8 of 4511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS