CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-47277
Medium

Runtipi versions 4.9.1 through 4.9.3 allow arbitrary file read through an unauthenticated endpoint, leading to exposure of local files from the Runtipi container. The issue arises from improper path checking for symbolic links in app store repositories.

CVE-2026-45436
Medium

There is a broken access control issue in WPBakery Page Builder versions up to 8.7.2 that may allow unauthorized users to access subscriber resources.

CVE-2026-44587
Medium

In the CarrierWave framework, versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to properly handle regex metacharacters in string entries, leading to intended content types not being blocked. As a result, applications may be vulnerable to XSS attacks through uploading SVG files containing malicious JavaScript.

CVE-2026-42357
Medium

The Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

CVE-2026-41280
Medium

The Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects.

CVE-2026-40724
Medium

CP Client Portal (Pro) versions up to 5.6.2 have a vulnerability that allows unauthorized users to download arbitrary files.

CVE-2026-40723
Medium

Bricks Builder versions up to 2.1.4 contain a vulnerability in access control that may allow subscribers unauthorized access to resources.

CVE-2026-40722
Medium

A missing authorization vulnerability in Yoast SEO Premium allows exploiting incorrectly configured access control security levels.

CVE-2026-39595
Medium

W3 Total Cache versions up to 2.9.1 contain a broken access control vulnerability, potentially allowing unauthorized access to resources.

CVE-2026-39578
Medium

There is an unauthenticated PHP Object Injection vulnerability in Valiance <= 1.2 versions.

CVE-2026-39577
Medium

Playroom versions up to 1.4.1 are vulnerable to unauthenticated PHP object injection.

CVE-2026-39433
Medium

In WPAMS versions below 49.5.3, there is a vulnerability that allows subscribers to delete arbitrary content.

CVE-2026-2604
Medium

A flaw was found in evolution-data-server that allows for inconsistent comparison in the addressbook file backend. A Flatpak application with D-Bus access can craft a malicious URI containing directory traversal sequences, leading to the deletion of arbitrary files on the host filesystem.

CVE-2026-28587
Medium

In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-28576
Medium

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed.

CVE-2026-28575
Medium

In PackageInstaller.Session#transfer, there is a logic error that may lead to a memory exhaustion attack. This could result in local denial of service with no additional execution privileges needed.

CVE-2026-27870
Medium

A Cross-Site Scripting (XSS) vulnerability in the Regesta Smart HD-PLC device from Teldat allows an authenticated network attacker to inject arbitrary JavaScript via the 'Hostname' field in the configuration file. The script executes in the context of the /upgrade/query.php?cmd=p+3%3Bversion path.

CVE-2026-27869
Medium

A vulnerability in the Teldat Regesta Smart HD-PLC device allows an unauthenticated network attacker to perform a Slow Loris attack, causing Denial of Service (DoS) on the web interface. The issue affects firmware version TLDPH16D2 11.02.05.10.02.

CVE-2026-27868
Medium

A vulnerability in the Teldat Regesta Smart HD-PLC device allows an attacker with network access (no authentication required) to obtain privilege information by sending a Version request to the path /upgrade/query.php?cmd=p+3&3Bversion. This affects firmware version TLDPH16D2 11.02.05.10.02.

CVE-2026-27410
Medium

In Slimstat Analytics versions below 5.4.0, there is a vulnerability to unauthenticated deserialization of untrusted data.

PreviousPage 92 of 514Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS