Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,029
Critical0
High3,029
Medium0
Reset
Showing 321-340 of 3029 records
Threat Entry Updated 2026-02-01

CVE-2026-23490 - Pyasn1 Plugin

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

PLUGIN Pyasn1

CVE-2026-23490

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-0629 - VIGI C230I Mini Plugin

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

PLUGIN VIGI C230I Mini

CVE-2026-0629

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23529 - Bigquery Connector For Apache Kafka Plugin

Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration…

PLUGIN Bigquery Connector For Apache Kafka

CVE-2026-23529

HIGH CVSS 7.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-0695 - PSA Plugin

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

PLUGIN PSA

CVE-2026-0695

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0616 - TheLibrarian.io Plugin

TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0616

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0613 - TheLibrarian.io Plugin

The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0613

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0612 - TheLibrarian.io Plugin

The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian.

PLUGIN TheLibrarian.io

CVE-2026-0612

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0615 - TheLibrarian.io Plugin

The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0615

HIGH CVSS 7.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2025-14844 - Restrict Content Plugin

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.

PLUGIN Restrict Content

CVE-2025-14844

HIGH CVSS 8.2 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-22876 - Multiple Network Cameras TRIFORA 3 series Plugin

Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege.

PLUGIN Multiple Network Cameras TRIFORA 3 series

CVE-2026-22876

HIGH CVSS 7.1 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2025-12957 - All In One Video Gallery Plugin

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN All In One Video Gallery

CVE-2025-12957

HIGH CVSS 8.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1023 - Statistics Database System Plugin

Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents.

PLUGIN Statistics Database System

CVE-2026-1023

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1022 - Statistics Database System Plugin

Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.

PLUGIN Statistics Database System

CVE-2026-1022

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-21

CVE-2026-22864 - Deno Plugin

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

PLUGIN Deno

CVE-2026-22864

HIGH CVSS 8.1 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1010 - Altium Enterprise Server Plugin

A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.

PLUGIN Altium Enterprise Server

CVE-2026-1010

HIGH CVSS 8.0 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1008 - Altium Live Plugin

A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile.

PLUGIN Altium Live

CVE-2026-1008

HIGH CVSS 7.6 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0915 - Glibc Plugin

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

PLUGIN Glibc

CVE-2026-0915

HIGH CVSS 7.5 2026-01-15
Open Full Technical Breakdown
Scroll to top