Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2026-21448 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.
PLUGIN
Bagisto
CVE-2026-21448
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21447 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
PLUGIN
Bagisto
CVE-2026-21447
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21446 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
PLUGIN
Bagisto
CVE-2026-21446
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21445 - Langflow Plugin
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.
PLUGIN
Langflow
CVE-2026-21445
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-0571 - Warehouse Plugin
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.
PLUGIN
Warehouse
CVE-2026-0571
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21440 - Core Plugin
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
PLUGIN
Core
CVE-2026-21440
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21433 - Emlog Plugin
Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21433
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21432 - Emlog Plugin
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21432
Risk Score
Threat Entry
Updated 2026-02-25
CVE-2026-21444 - Libtpms Plugin
libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
PLUGIN
Libtpms
CVE-2026-21444
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21430 - Emlog Plugin
Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21430
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0570 - Online Music Site Plugin
A vulnerability was found in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Frontend/Feedback.php. Performing a manipulation of the argument fname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
PLUGIN
Online Music Site
CVE-2026-0570
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0569 - Online Music Site Plugin
A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
PLUGIN
Online Music Site
CVE-2026-0569
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21431 - Emlog Plugin
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21431
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21429 - Emlog Plugin
Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21429
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0568 - Online Music Site Plugin
A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
PLUGIN
Online Music Site
CVE-2026-0568
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-0567 - Content Management System Plugin
A vulnerability was detected in code-projects Content Management System 1.0. The affected element is an unknown function of the file /pages.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
PLUGIN
Content Management System
CVE-2026-0567
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-0566 - Content Management System Plugin
A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
PLUGIN
Content Management System
CVE-2026-0566
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0565 - Content Management System Plugin
A weakness has been identified in code-projects Content Management System 1.0. This issue affects some unknown processing of the file /admin/delete.php. Executing a manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
PLUGIN
Content Management System
CVE-2026-0565
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-0547 - Online Course Registration Plugin
A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used.
PLUGIN
Online Course Registration
CVE-2026-0547
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-0546 - Content Management System Plugin
A vulnerability was determined in code-projects Content Management System 1.0. This impacts an unknown function of the file search.php. This manipulation of the argument Value causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Content Management System
CVE-2026-0546
Risk Score