Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2026-0854 - DH032 Plugin
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
PLUGIN
DH032
CVE-2026-0854
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14579 - Before 6 Plugin
The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2025-14579
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0853 - AP-BS404 Plugin
Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information.
PLUGIN
AP-BS404
CVE-2026-0853
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0852 - Online Music Site Plugin
A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
PLUGIN
Online Music Site
CVE-2026-0852
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0851 - Online Music Site Plugin
A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
PLUGIN
Online Music Site
CVE-2026-0851
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0850 - Intern Membership Management System Plugin
A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Intern Membership Management System
CVE-2026-0850
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0843 - jjjshop_food Plugin
A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
jjjshop_food
CVE-2026-0843
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0842 - smART Sketcher Plugin
A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
smART Sketcher
CVE-2026-0842
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0841 - 进取 520W Plugin
A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0841
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0840 - 进取 520W Plugin
A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0840
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0839 - 进取 520W Plugin
A weakness has been identified in UTT 进取 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0839
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0838 - 进取 520W Plugin
A security flaw has been discovered in UTT 进取 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0838
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0837 - 进取 520W Plugin
A vulnerability was identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formFireWall. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0837
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0836 - 进取 520W Plugin
A vulnerability was determined in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW. This manipulation of the argument ssid causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
进取 520W
CVE-2026-0836
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0824 - Ui Plugin
A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as…
PLUGIN
Ui
CVE-2026-0824
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0822 - Quickjs Plugin
A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.
PLUGIN
Quickjs
CVE-2026-0822
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-12379 - Auxin Elements Plugin
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and ‘title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Auxin Elements
CVE-2025-12379
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13393 - Featured Image From Url Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted…
PLUGIN
Featured Image From Url
CVE-2025-13393
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0821 - Quickjs Plugin
A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue.
PLUGIN
Quickjs
CVE-2026-0821
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14555 - Widget Countdown Plugin
The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widget Countdown
CVE-2025-14555
Risk Score