Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-05
CVE-2026-22231 - eCASE Audit Plugin
OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0.
PLUGIN
eCASE Audit
CVE-2026-22231
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22522 - Block Slider Plugin
Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3.
PLUGIN
Block Slider
CVE-2026-22522
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22519 - MediaPress Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2.
PLUGIN
MediaPress
CVE-2026-22519
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22518 - Elementor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23.
PLUGIN
Elementor
CVE-2026-22518
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-22517 - GA4WP: Google Analytics for WordPress Plugin
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through
PLUGIN
GA4WP: Google Analytics for WordPress
CVE-2026-22517
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-22490 - Bulk Landing Page Creator for WordPress LPagery Plugin
Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through
PLUGIN
Bulk Landing Page Creator for WordPress LPagery
CVE-2026-22490
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22488 - Dashboard Welcome for Beaver Builder Plugin
Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.
PLUGIN
Dashboard Welcome for Beaver Builder
CVE-2026-22488
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22492 - Docket Cache Plugin
Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04.
PLUGIN
Docket Cache
CVE-2026-22492
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22489 - Image Slider Slideshow Plugin
Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8.
PLUGIN
Image Slider Slideshow
CVE-2026-22489
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-0671 - MediaWiki - UploadWizard extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
MediaWiki - UploadWizard extension
CVE-2026-0671
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21639 - airFiber AF60 Plugin
A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version…
PLUGIN
airFiber AF60
CVE-2026-21639
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22486 - Re Gallery & Responsive Photo Gallery Plugin
Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18.
PLUGIN
Re Gallery & Responsive Photo Gallery Plugin
CVE-2026-22486
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-22487 - Speed Kit Plugin
Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.
PLUGIN
Speed Kit
CVE-2026-22487
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-22246 - Mastodon Plugin
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information…
PLUGIN
Mastodon
CVE-2026-22246
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-22043 - Rustfs Plugin
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue.
PLUGIN
Rustfs
CVE-2026-22043
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-22042 - Rustfs Plugin
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue.
PLUGIN
Rustfs
CVE-2026-22042
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-22032 - Directus Plugin
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both…
PLUGIN
Directus
CVE-2026-22032
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21885 - V2 Plugin
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.
PLUGIN
V2
CVE-2026-21885
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-21892 - Parsl Plugin
Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
PLUGIN
Parsl
CVE-2026-21892
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-22242 - CoreShop Plugin
CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
PLUGIN
CoreShop
CVE-2026-22242
Risk Score