CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
There is a broken access control issue in MetForm Pro versions up to 3.9.1 that may allow unauthorized subscribers to access resources.
There is a broken access control issue in WishList Member X versions up to 3.29.0 that may allow unauthorized access to subscribers.
A flaw was found in vLLM due to improper handling of image metadata, including EXIF orientation and PNG transparency (tRNS) data. During conversion to RGB, transparency information may be discarded or remapped, causing distortion of input content. This can lead to misinterpretation of images by the model.
In Google Chrome on Android prior to version 149.0.7827.155, there was an uninitialized use in GPU that allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Inappropriate implementation in Views in Google Chrome on Linux prior to version 149.0.7827.155 allowed a remote attacker who compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
An out of bounds read in WebRTC in Google Chrome on Windows prior to version 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Insufficient policy enforcement in File System Access in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file.
Inappropriate implementation in Serial in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
Inappropriate implementation in Extensions in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker who compromised the renderer process to bypass site isolation via a crafted HTML page.
Inappropriate implementation in Extensions in Google Chrome prior to version 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension.
Insufficient validation of untrusted input in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker who compromised the renderer process to bypass same origin policy via a crafted HTML page.
Inappropriate implementation in Media in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
Inappropriate implementation in Passwords in Google Chrome prior to version 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
An out of bounds read in Chromoting in Google Chrome on Windows prior to version 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file.
The Counter Box – Add Countdowns, Timers & Dynamic Counters plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 2.0.13 via deserialization of untrusted input. This allows authenticated attackers with administrator-level access to inject a PHP Object.
In SimplCommerce prior to commit 6142d3b5, there is a stored XSS vulnerability in NewsItemApiController. This allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization.
An open redirection vulnerability in the authentication system allows an attacker to manipulate values in the X-Forwarded-Host header, potentially altering URLs generated by the application.
Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker.
Improper handling of HTTP headers allows a remote attacker to manipulate the value of the Host header using specially crafted requests. A successful exploit could result in the generation of manipulated links or responses.
There is a possible persistent denial of service due to resource exhaustion in multiple places. This could lead to local denial of service with no additional execution privileges needed.

