Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,261
Critical855
High2,811
Medium10,399
Reset
Showing 1221-1240 of 14261 records
Threat Entry Updated 2026-01-26

CVE-2026-0629 - VIGI C230I Mini Plugin

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

PLUGIN VIGI C230I Mini

CVE-2026-0629

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-23523 - Dive Plugin

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.

PLUGIN Dive

CVE-2026-23523

CRITICAL CVSS 9.6 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23529 - Bigquery Connector For Apache Kafka Plugin

Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration…

PLUGIN Bigquery Connector For Apache Kafka

CVE-2026-23529

HIGH CVSS 7.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-10

CVE-2026-0949 - Postgres Enterprise Manager (PEM) Plugin

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.

PLUGIN Postgres Enterprise Manager (PEM)

CVE-2026-0949

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23528 - Distributed Plugin

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the…

PLUGIN Distributed

CVE-2026-23528

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-22782 - Rustfs Plugin

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

PLUGIN Rustfs

CVE-2026-22782

LOW CVSS 2.9 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-0695 - PSA Plugin

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

PLUGIN PSA

CVE-2026-0695

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-0696 - PSA Plugin

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

PLUGIN PSA

CVE-2026-0696

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0616 - TheLibrarian.io Plugin

TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0616

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0613 - TheLibrarian.io Plugin

The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0613

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0612 - TheLibrarian.io Plugin

The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian.

PLUGIN TheLibrarian.io

CVE-2026-0612

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0615 - TheLibrarian.io Plugin

The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0615

HIGH CVSS 7.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2025-14844 - Restrict Content Plugin

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.

PLUGIN Restrict Content

CVE-2025-14844

HIGH CVSS 8.2 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-22876 - Multiple Network Cameras TRIFORA 3 series Plugin

Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege.

PLUGIN Multiple Network Cameras TRIFORA 3 series

CVE-2026-22876

HIGH CVSS 7.1 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-20894 - Multiple Network Cameras TRIFORA 3 series Plugin

Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen.

PLUGIN Multiple Network Cameras TRIFORA 3 series

CVE-2026-20894

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1004 - Essential Addons For Elementor Lite Plugin

The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.

PLUGIN Essential Addons For Elementor Lite

CVE-2026-1004

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Scroll to top