Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-23
CVE-2026-23768 - Lucy Xss Filter Plugin
lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.
PLUGIN
Lucy Xss Filter
CVE-2026-23768
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1000 - MailerLite – WooCommerce integration Plugin
The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.
PLUGIN
MailerLite – WooCommerce integration
CVE-2026-1000
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-0858 - net.sourceforge.plantuml:plantuml Plugin
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
PLUGIN
net.sourceforge.plantuml:plantuml
CVE-2026-0858
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-15526 - Fancy Product Designer Plugin
The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Fancy Product Designer
CVE-2025-15526
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-15527 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to.
PLUGIN
Wp Recipe Maker
CVE-2025-15527
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-15370 - And Prevents Security Breaches Plugin
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.
PLUGIN
And Prevents Security Breaches
CVE-2025-15370
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-14982 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.
PLUGIN
Booking Calendar
CVE-2025-14982
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-14384 - Increase Traffic Plugin
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
PLUGIN
Increase Traffic
CVE-2025-14384
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-12641 - Awesome Support Plugin
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a…
PLUGIN
Awesome Support
CVE-2025-12641
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1020 - Police Statistics Database System Plugin
Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory.
PLUGIN
Police Statistics Database System
CVE-2026-1020
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1011 - Altium Live Plugin
A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context.
PLUGIN
Altium Live
CVE-2026-1011
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-22045 - Traefik Plugin
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
PLUGIN
Traefik
CVE-2026-22045
Risk Score
Threat Entry
Updated 2026-02-25
CVE-2026-21912 - Junos OS Plugin
A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the method to collect FPC Ethernet firmware statistics of Juniper Networks Junos OS on MX10k Series allows a local, low-privileged attacker executing the 'show system firmware' CLI command to cause an LC480 or LC2101 line card to reset. On MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the 'show system firmware' CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, chassisd may also crash and restart, generating a core…
PLUGIN
Junos OS
CVE-2026-21912
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-1002 - Eclipse Vert.x Plugin
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404…
PLUGIN
Eclipse Vert.x
CVE-2026-1002
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-23511 - Zitadel Plugin
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6.
PLUGIN
Zitadel
CVE-2026-23511
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-0227 - Prisma Access Plugin
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
PLUGIN
Prisma Access
CVE-2026-0227
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23496 - Pimcore Plugin
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1.
PLUGIN
Pimcore
CVE-2026-23496
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23495 - Pimcore Plugin
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations.…
PLUGIN
Pimcore
CVE-2026-23495
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-23494 - Pimcore Plugin
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke…
PLUGIN
Pimcore
CVE-2026-23494
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-20076 - Cisco Identity Services Engine Software Plugin
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive,…
PLUGIN
Cisco Identity Services Engine Software
CVE-2026-20076
Risk Score