Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-21
CVE-2026-22871 - Guarddog Plugin
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.
PLUGIN
Guarddog
CVE-2026-22871
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22870 - Guarddog Plugin
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.
PLUGIN
Guarddog
CVE-2026-22870
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22869 - Eigent Plugin
Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.
PLUGIN
Eigent
CVE-2026-22869
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-22861 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-22861
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22868 - Go Ethereum Plugin
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
PLUGIN
Go Ethereum
CVE-2026-22868
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22862 - Go Ethereum Plugin
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
PLUGIN
Go Ethereum
CVE-2026-22862
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21303 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21303
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21299 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21299
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21298 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21298
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21302 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21302
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21301 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21301
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21300 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21300
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0543 - Kibana Plugin
Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.
PLUGIN
Kibana
CVE-2026-0543
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0531 - Kibana Plugin
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
PLUGIN
Kibana
CVE-2026-0531
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0530 - Kibana Plugin
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.
PLUGIN
Kibana
CVE-2026-0530
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0528 - Metricbeat Plugin
Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.
PLUGIN
Metricbeat
CVE-2026-0528
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-22818 - Hono Plugin
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification…
PLUGIN
Hono
CVE-2026-22818
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-22817 - Hono Plugin
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is…
PLUGIN
Hono
CVE-2026-22817
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22814 - Lucid Plugin
@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.
PLUGIN
Lucid
CVE-2026-22814
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-22809 - tarteaucitron.js Plugin
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.
PLUGIN
tarteaucitron.js
CVE-2026-22809
Risk Score