Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2026-22082 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22082
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22081 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22081
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22080 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22080
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22079 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22079
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-21409 - RICOH Streamline NX Plugin
Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved.
PLUGIN
RICOH Streamline NX
CVE-2026-21409
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14937 - Frontend Admin By Dynamiapps Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Frontend Admin By Dynamiapps
CVE-2025-14937
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14657 - Event Tickets And Registrations Plugin
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
PLUGIN
Event Tickets And Registrations
CVE-2025-14657
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-20971 - Samsung Mobile Devices Plugin
Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code.
PLUGIN
Samsung Mobile Devices
CVE-2026-20971
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-15057 - Slimstat Analytics Plugin
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report.
PLUGIN
Slimstat Analytics
CVE-2025-15057
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-15055 - Slimstat Analytics Plugin
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report.
PLUGIN
Slimstat Analytics
CVE-2025-15055
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14436 - Brevo For Woocommerce Plugin
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brevo For Woocommerce
CVE-2025-14436
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22257 - Salvo Plugin
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1.
PLUGIN
Salvo
CVE-2026-22257
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22256 - Salvo Plugin
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common…
PLUGIN
Salvo
CVE-2026-22256
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2026-22235 - eComplaint Plugin
OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files.
PLUGIN
eComplaint
CVE-2026-22235
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-22230 - eCASE Audit Plugin
OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.
PLUGIN
eCASE Audit
CVE-2026-22230
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22521 - Handmade Framework Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.
THEME
Handmade Framework
CVE-2026-22521
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21638 - UDB-Pro/UDB-Pro-Sector Plugin
A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later.
PLUGIN
UDB-Pro/UDB-Pro-Sector
CVE-2026-21638
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22255 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-22255
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-22244 - OpenMetadata Plugin
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
PLUGIN
OpenMetadata
CVE-2026-22244
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-22245 - Mastodon Plugin
Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network…
PLUGIN
Mastodon
CVE-2026-22245
Risk Score