Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-17
CVE-2026-0719 - Red Hat Enterprise Linux 10 Plugin
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.
PLUGIN
Red Hat Enterprise Linux 10
CVE-2026-0719
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-22242 - CoreShop Plugin
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
PLUGIN
CoreShop
CVE-2026-22242
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21873 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
PLUGIN
Nicegui
CVE-2026-21873
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-21894 - N8n Plugin
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if…
PLUGIN
N8n
CVE-2026-21894
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21872 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
PLUGIN
Nicegui
CVE-2026-21872
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21871 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has…
PLUGIN
Nicegui
CVE-2026-21871
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21874 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
PLUGIN
Nicegui
CVE-2026-21874
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-0674 - Campaign Monitor for WordPress Plugin
Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through
PLUGIN
Campaign Monitor for WordPress
CVE-2026-0674
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14984 - Gutenverse Form Plugin
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
PLUGIN
Gutenverse Form
CVE-2025-14984
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0701 - Intern Membership Management System Plugin
A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
PLUGIN
Intern Membership Management System
CVE-2026-0701
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-0700 - Intern Membership Management System Plugin
A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Intern Membership Management System
CVE-2026-0700
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-0699 - Intern Membership Management System Plugin
A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
PLUGIN
Intern Membership Management System
CVE-2026-0699
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13679 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
PLUGIN
Elearning And Online Course Solution
CVE-2025-13679
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0698 - Intern Membership Management System Plugin
A vulnerability has been found in code-projects Intern Membership Management System 1.0. This affects an unknown function of the file /intern/admin/edit_students.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
PLUGIN
Intern Membership Management System
CVE-2026-0698
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0697 - Intern Membership Management System Plugin
A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
PLUGIN
Intern Membership Management System
CVE-2026-0697
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21427 - Stellanova APS-S301 series Plugin
The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running installer.
PLUGIN
Stellanova APS-S301 series
CVE-2026-21427
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-0707 - Red Hat Build of Keycloak Plugin
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
PLUGIN
Red Hat Build of Keycloak
CVE-2026-0707
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14275 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element.
PLUGIN
Jeg Elementor Kit
CVE-2025-14275
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12640 - File Manager Plugin
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.
PLUGIN
File Manager
CVE-2025-12640
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-21881 - Kanboard Plugin
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.
PLUGIN
Kanboard
CVE-2026-21881
Risk Score