Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-05
CVE-2026-22771 - Gateway Plugin
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.
PLUGIN
Gateway
CVE-2026-22771
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-22776 - Cpp Httplib Plugin
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
PLUGIN
Cpp Httplib
CVE-2026-22776
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22200 - osTicket Plugin
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the…
PLUGIN
osTicket
CVE-2026-22200
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22251 - Wlc Plugin
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
PLUGIN
Wlc
CVE-2026-22251
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22250 - Wlc Plugin
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
PLUGIN
Wlc
CVE-2026-22250
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22033 - Label Studio Plugin
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the…
PLUGIN
Label Studio
CVE-2026-22033
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-22050 - ONTAP 9 Plugin
ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none.
PLUGIN
ONTAP 9
CVE-2026-22050
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0855 - IPD Plugin
Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
PLUGIN
IPD
CVE-2026-0855
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0854 - NVR100L Plugin
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
PLUGIN
NVR100L
CVE-2026-0854
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14579 - Quiz Maker Plugin
The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Quiz Maker
CVE-2025-14579
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0853 - AP-BS404 Plugin
Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.
PLUGIN
AP-BS404
CVE-2026-0853
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0852 - Online Music Site Plugin
A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
PLUGIN
Online Music Site
CVE-2026-0852
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0851 - Online Music Site Plugin
A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
PLUGIN
Online Music Site
CVE-2026-0851
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0850 - Intern Membership Management System Plugin
A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Intern Membership Management System
CVE-2026-0850
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0843 - jjjshop_food Plugin
A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
jjjshop_food
CVE-2026-0843
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0842 - smART Sketcher Plugin
A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
smART Sketcher
CVE-2026-0842
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0841 - 进取 520W Plugin
A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0841
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0840 - 进取 520W Plugin
A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0840
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0839 - 进取 520W Plugin
A weakness has been identified in UTT 进取 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0839
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0838 - 进取 520W Plugin
A security flaw has been discovered in UTT 进取 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0838
Risk Score