CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.01)

CVE-2026-12202
Low

A vulnerability has been found in Intelliants Subrion CMS up to version 4.0.3. The issue affects some unknown functionality of the Blocks Endpoint component, where manipulation of the CSS class name leads to cross-site scripting.

CVE-2026-9062
Low

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server.

CVE-2026-9061
Low

The Store Locator WordPress plugin before version 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed.

CVE-2026-53837
Low

OpenClaw before version 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.

CVE-2026-53607
Low

ApostropheCMS is a Node.js content management system that has a vulnerability related to `prettyUrls` in versions up to 4.30.0. When this option is enabled, an attacker can exploit the `Host` header to send HTTP requests to any host on the private network.

CVE-2026-12130
Low

A security flaw has been discovered in CodeAstro Human Resource Management System 1.0, affecting an unknown part of the file /Projects/Add_Projects of the Projects Management Page component. Manipulation of the argument protitle results in cross site scripting.

CVE-2026-12129
Low

A vulnerability was identified in CodeAstro Human Resource Management System 1.0. The issue affects some unknown functionality of the file /dashboard/add_tod in the Dashboard Interface, where manipulation of the argument todo_data leads to cross-site scripting.

CVE-2026-53724
Low

Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4 allowed bypassing the default file upload extension blocklist by appending a trailing dot to a filename. This enables attackers to upload files with dangerous MIME types, leading to potential XSS attacks.

CVE-2026-12065
Low

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App on Android, affecting an unknown part of the WebView URL Handler component. The manipulation leads to improper authorization in the handler for custom URL scheme.

CVE-2026-48485
Low

Quest Bot is an open-source Discord bot that prior to version 1.1.6 did not suppress mentions when invoking the /warns command, potentially leading to mass pings of users.

CVE-2026-9269
Low

The Secure Copy Content Protection and Content Locking WordPress plugin before version 5.1.5 does not sanitize and escape some of its settings, which could allow high privilege users such as admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2026-12032
Low

Inappropriate implementation in Passwords in Google Chrome on Android prior to version 149.0.7827.115 allowed a remote attacker who compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2026-12017
Low

Inappropriate implementation in Extensions in Google Chrome prior to version 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2026-53809
Low

OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy. This allows attackers to compare provider aliases against aliases instead of canonical provider identities, potentially leading to unauthorized access to tools.

CVE-2026-47188
Low

Quest Bot is an open-source Discord bot that prior to version 1.0.5 did not suppress mentions in several moderation commands. The /unban and /unwarn commands still echoed user-controlled reason text in public bot messages, which could lead to mass pinging.

CVE-2026-47175
Low

Quest Bot is a modern Discord bot designed for moderation, utilities, and support. In versions prior to 1.0.4, several moderation commands echoed user-controlled reason text in public bot replies without disabling mention parsing.

CVE-2026-44489
Low

A vulnerability in Axios, an HTTP client, allows for the injection of malicious data into the Proxy-Authorization header if the proxy object is polluted. The issue exists in versions from 1.15.2 to before 1.16.0, where the setProxy() function does not check object properties.

CVE-2026-11956
Low

A vulnerability was identified in version 5.36.0 of the TwiN gatus component, concerning the setSessionCookie function in the security/oidc.go file. Manipulating this function can lead to sensitive cookies without the secure attribute.

CVE-2026-9694
Low

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an unauthenticated user could impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

CVE-2026-6976
Low

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an authenticated user with developer-role permissions could hide changes from merge request diff views due to improper input handling of file names.

PreviousPage 9 of 60Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS