Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-20
CVE-2026-22774 - Devalue Plugin
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
PLUGIN
Devalue
CVE-2026-22774
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-22249 - Docmost Plugin
Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0.
PLUGIN
Docmost
CVE-2026-22249
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-0227 - Prisma Access Plugin
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
PLUGIN
Prisma Access
CVE-2026-0227
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-23493 - Pimcore Plugin
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.
PLUGIN
Pimcore
CVE-2026-23493
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23496 - Pimcore Plugin
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
PLUGIN
Pimcore
CVE-2026-23496
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23495 - Pimcore Plugin
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations.…
PLUGIN
Pimcore
CVE-2026-23495
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-23494 - Pimcore Plugin
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke…
PLUGIN
Pimcore
CVE-2026-23494
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-22867 - Docs Plugin
LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0.
PLUGIN
Docs
CVE-2026-22867
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2026-22265 - Roxy Wi Plugin
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.
PLUGIN
Roxy Wi
CVE-2026-22265
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-20076 - Cisco Identity Services Engine Software Plugin
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive,…
PLUGIN
Cisco Identity Services Engine Software
CVE-2026-20076
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-20075 - Cisco Evolved Programmable Network Manager (EPNM) Plugin
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected…
PLUGIN
Cisco Evolved Programmable Network Manager (EPNM)
CVE-2026-20075
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-20047 - Cisco Identity Services Engine Software Plugin
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the…
PLUGIN
Cisco Identity Services Engine Software
CVE-2026-20047
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-0990 - Red Hat Enterprise Linux 10 Plugin
A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.
PLUGIN
Red Hat Enterprise Linux 10
CVE-2026-0990
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-0989 - Red Hat Enterprise Linux 10 Plugin
A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.
PLUGIN
Red Hat Enterprise Linux 10
CVE-2026-0989
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-0992 - Red Hat Enterprise Linux 10 Plugin
A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.
PLUGIN
Red Hat Enterprise Linux 10
CVE-2026-0992
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22645 - Incoming Goods Suite Plugin
The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components.
PLUGIN
Incoming Goods Suite
CVE-2026-22645
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22644 - Incoming Goods Suite Plugin
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.
PLUGIN
Incoming Goods Suite
CVE-2026-22644
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22646 - Incoming Goods Suite Plugin
Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities.
PLUGIN
Incoming Goods Suite
CVE-2026-22646
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-0897 - Keras Plugin
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
PLUGIN
Keras
CVE-2026-0897
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-13859 - Amazon Affiliate Plugin
The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site.
PLUGIN
Amazon Affiliate
CVE-2025-13859
Risk Score