Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,261
Critical855
High2,811
Medium10,399
Reset
Showing 1201-1220 of 14261 records
Threat Entry Updated 2026-01-26

CVE-2026-23800 - Modular DS Plugin

Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.

PLUGIN Modular DS

CVE-2026-23800

CRITICAL CVSS 10.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2026-23643 - Cakephp Plugin

CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.

PLUGIN Cakephp

CVE-2026-23643

MEDIUM CVSS 5.4 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23744 - Inspector Plugin

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

PLUGIN Inspector

CVE-2026-23744

CRITICAL CVSS 9.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-23742 - Skipper Plugin

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

PLUGIN Skipper

CVE-2026-23742

HIGH CVSS 8.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23735 - Graphql Modules Plugin

GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.

PLUGIN Graphql Modules

CVE-2026-23735

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23730 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23730

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23729 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23729

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23731 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23731

MEDIUM CVSS 4.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23722 - WeGIA Plugin

WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23722

CRITICAL CVSS 9.1 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23723 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23723

HIGH CVSS 7.2 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23725 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23725

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23728 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23728

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23727 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23727

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23726 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23726

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23724 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23724

MEDIUM CVSS 4.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23645 - Siyuan Plugin

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

PLUGIN Siyuan

CVE-2026-23645

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23634 - Pepr Plugin

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.

PLUGIN Pepr

CVE-2026-23634

UNKNOWN CVSS 0.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-23535 - Wlc Plugin

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

PLUGIN Wlc

CVE-2026-23535

HIGH CVSS 8.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-01

CVE-2026-23490 - Pyasn1 Plugin

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

PLUGIN Pyasn1

CVE-2026-23490

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Scroll to top