Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-02
CVE-2026-22238 - BLUVOYIX Plugin
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user.
PLUGIN
BLUVOYIX
CVE-2026-22238
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-22237 - BLUVOYIX Plugin
The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality.
PLUGIN
BLUVOYIX
CVE-2026-22237
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-22236 - BLUVOYIX Plugin
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.
PLUGIN
BLUVOYIX
CVE-2026-22236
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-23550 - Modular DS Plugin
Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1.
PLUGIN
Modular DS
CVE-2026-23550
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14502 - News And Blog Designer Bundle Plugin
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
News And Blog Designer Bundle
CVE-2025-14502
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14301 - Woosa Ai For Woocommerce Plugin
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.
PLUGIN
Woosa Ai For Woocommerce
CVE-2025-14301
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-22686 - Enclave Plugin
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function…
PLUGIN
Enclave
CVE-2026-22686
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-23478 - cal.com Plugin
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
PLUGIN
cal.com
CVE-2026-23478
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-22755 - Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD93 Plugin
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191,…
PLUGIN
Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD93
CVE-2026-22755
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0892 - Firefox Plugin
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147.
PLUGIN
Firefox
CVE-2026-0892
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0881 - Firefox Plugin
Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
PLUGIN
Firefox
CVE-2026-0881
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0884 - Firefox ESR Plugin
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
PLUGIN
Firefox ESR
CVE-2026-0884
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0879 - Firefox ESR Plugin
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
PLUGIN
Firefox ESR
CVE-2026-0879
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-10915 - Dreamer Blog Theme
The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check.
THEME
Dreamer Blog
CVE-2025-10915
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14829 - Through 2 Plugin
The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
PLUGIN
Through 2
CVE-2025-14829
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0501 - SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger) Plugin
Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.
PLUGIN
SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger)
CVE-2026-0501
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0500 - SAP Wily Introscope Enterprise Manager (WorkStation) Plugin
Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.
PLUGIN
SAP Wily Introscope Enterprise Manager (WorkStation)
CVE-2026-0500
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0498 - SAP S/4HANA (Private Cloud and On-Premise) Plugin
SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
PLUGIN
SAP S/4HANA (Private Cloud and On-Premise)
CVE-2026-0498
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0491 - SAP Landscape Transformation Plugin
SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
PLUGIN
SAP Landscape Transformation
CVE-2026-0491
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22813 - Opencode Plugin
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
PLUGIN
Opencode
CVE-2026-22813
Risk Score