Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-20
CVE-2026-21894 - N8n Plugin
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if…
PLUGIN
N8n
CVE-2026-21894
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21872 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
PLUGIN
Nicegui
CVE-2026-21872
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21871 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has…
PLUGIN
Nicegui
CVE-2026-21871
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-21874 - Nicegui Plugin
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
PLUGIN
Nicegui
CVE-2026-21874
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-0676 - Zorka Theme
Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through
THEME
Zorka
CVE-2026-0676
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-0674 - Campaign Monitor for WordPress Plugin
Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through
PLUGIN
Campaign Monitor for WordPress
CVE-2026-0674
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-27004 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery allows Reflected XSS.This issue affects Famous - Responsive Image And Video Grid Gallery WordPress Plugin: from n/a through
CORE
WordPress Core
CVE-2025-27004
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14984 - Gutenverse Form Plugin
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
PLUGIN
Gutenverse Form
CVE-2025-14984
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0701 - Intern Membership Management System Plugin
A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
PLUGIN
Intern Membership Management System
CVE-2026-0701
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-0700 - Intern Membership Management System Plugin
A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Intern Membership Management System
CVE-2026-0700
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-0699 - Intern Membership Management System Plugin
A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
PLUGIN
Intern Membership Management System
CVE-2026-0699
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13679 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
PLUGIN
Elearning And Online Course Solution
CVE-2025-13679
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0698 - Intern Membership Management System Plugin
A vulnerability has been found in code-projects Intern Membership Management System 1.0. This affects an unknown function of the file /intern/admin/edit_students.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
PLUGIN
Intern Membership Management System
CVE-2026-0698
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0697 - Intern Membership Management System Plugin
A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
PLUGIN
Intern Membership Management System
CVE-2026-0697
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-0707 - Red Hat Build of Keycloak Plugin
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
PLUGIN
Red Hat Build of Keycloak
CVE-2026-0707
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14275 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element.
PLUGIN
Jeg Elementor Kit
CVE-2025-14275
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12640 - File Manager Plugin
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.
PLUGIN
File Manager
CVE-2025-12640
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-21880 - Kanboard Plugin
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.
PLUGIN
Kanboard
CVE-2026-21880
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-21879 - Kanboard Plugin
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.
PLUGIN
Kanboard
CVE-2026-21879
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-21883 - Bokeh Plugin
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of…
PLUGIN
Bokeh
CVE-2026-21883
Risk Score