Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2026-0504 - SAP Identity Management Plugin
Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.
PLUGIN
SAP Identity Management
CVE-2026-0504
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0510 - NW AS Java UME User Mapping Plugin
The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.
PLUGIN
NW AS Java UME User Mapping
CVE-2026-0510
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22805 - Metabase Plugin
Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1.
PLUGIN
Metabase
CVE-2026-22805
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22800 - PILOS Plugin
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated…
PLUGIN
PILOS
CVE-2026-22800
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22213 - RIOT OS Plugin
RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption.
PLUGIN
RIOT OS
CVE-2026-22213
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-22784 - Lychee Plugin
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
PLUGIN
Lychee
CVE-2026-22784
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22250 - Wlc Plugin
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
PLUGIN
Wlc
CVE-2026-22250
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22611 - Aws Sdk Net Plugin
AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has…
PLUGIN
Aws Sdk Net
CVE-2026-22611
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-22691 - Pypdf Plugin
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
PLUGIN
Pypdf
CVE-2026-22691
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-22690 - Pypdf Plugin
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
PLUGIN
Pypdf
CVE-2026-22690
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-22597 - Ghost Plugin
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.
PLUGIN
Ghost
CVE-2026-22597
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22602 - Openproject Plugin
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may…
PLUGIN
Openproject
CVE-2026-22602
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-20975 - Samsung Cloud Plugin
Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path.
PLUGIN
Samsung Cloud
CVE-2026-20975
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-20969 - Samsung Mobile Devices Plugin
Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability.
PLUGIN
Samsung Mobile Devices
CVE-2026-20969
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22714 - Mediawiki - Monaco Skin Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - Monaco Skin
CVE-2026-22714
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22713 - Mediawiki - GrowthExperiments Extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - GrowthExperiments Extension
CVE-2026-22713
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22712 - Mediawiki - ApprovedRevs Extension Plugin
Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - ApprovedRevs Extension
CVE-2026-22712
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22710 - Mediawiki - Wikibase Extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - Wikibase Extension
CVE-2026-22710
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0747 - Remote Desktop Manager Plugin
Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.
PLUGIN
Remote Desktop Manager
CVE-2026-0747
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-22041 - Loggingredactor Plugin
Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available.
PLUGIN
Loggingredactor
CVE-2026-22041
Risk Score