Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,261
Critical855
High2,811
Medium10,399
Reset
Showing 1801-1820 of 14261 records
Threat Entry Updated 2026-01-13

CVE-2026-22256 - Salvo Plugin

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common…

PLUGIN Salvo

CVE-2026-22256

HIGH CVSS 8.8 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-21860 - Werkzeug Plugin

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5.

PLUGIN Werkzeug

CVE-2026-21860

MEDIUM CVSS 6.3 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-22253 - Soft Serve Plugin

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

PLUGIN Soft Serve

CVE-2026-22253

MEDIUM CVSS 5.4 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-22234 - eCase Portal Plugin

OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files.

PLUGIN eCase Portal

CVE-2026-22234

CRITICAL CVSS 9.3 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-22235 - eComplaint Plugin

OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.

PLUGIN eComplaint

CVE-2026-22235

HIGH CVSS 8.7 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2026-22587 - DevonWay Plugin

Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.

PLUGIN DevonWay

CVE-2026-22587

MEDIUM CVSS 4.8 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-05

CVE-2026-22233 - eCASE Audit Plugin

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0.

PLUGIN eCASE Audit

CVE-2026-22233

MEDIUM CVSS 4.8 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-05

CVE-2026-22232 - eCASE Audit Plugin

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0.

PLUGIN eCASE Audit

CVE-2026-22232

MEDIUM CVSS 4.8 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-22230 - eCASE Audit Plugin

OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.

PLUGIN eCASE Audit

CVE-2026-22230

HIGH CVSS 7.2 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-21896 - Kirby Plugin

Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2.

PLUGIN Kirby

CVE-2026-21896

MEDIUM CVSS 5.8 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-02-05

CVE-2026-22231 - eCASE Audit Plugin

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.

PLUGIN eCASE Audit

CVE-2026-22231

MEDIUM CVSS 4.8 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2026-22522 - Block Slider Plugin

Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3.

PLUGIN Block Slider

CVE-2026-22522

MEDIUM CVSS 6.5 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2026-22519 - MediaPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2.

PLUGIN MediaPress

CVE-2026-22519

MEDIUM CVSS 6.5 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2026-22518 - Elementor Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23.

PLUGIN Elementor

CVE-2026-22518

MEDIUM CVSS 6.5 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-04-23

CVE-2026-22517 - GA4WP: Google Analytics for WordPress Plugin

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through

PLUGIN GA4WP: Google Analytics for WordPress

CVE-2026-22517

MEDIUM CVSS 5.4 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-04-23

CVE-2026-22490 - Bulk Landing Page Creator for WordPress LPagery Plugin

Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through

PLUGIN Bulk Landing Page Creator for WordPress LPagery

CVE-2026-22490

MEDIUM CVSS 5.4 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2026-22488 - Dashboard Welcome for Beaver Builder Plugin

Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.

PLUGIN Dashboard Welcome for Beaver Builder

CVE-2026-22488

MEDIUM CVSS 5.3 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2026-22492 - Docket Cache Plugin

Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04.

PLUGIN Docket Cache

CVE-2026-22492

MEDIUM CVSS 4.3 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2026-22489 - Image Slider Slideshow Plugin

Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8.

PLUGIN Image Slider Slideshow

CVE-2026-22489

MEDIUM CVSS 4.3 2026-01-08
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-21638 - UDB-Pro/UDB-Pro-Sector Plugin

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later.

PLUGIN UDB-Pro/UDB-Pro-Sector

CVE-2026-21638

HIGH CVSS 8.8 2026-01-08
Open Full Technical Breakdown
Scroll to top