Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-17
CVE-2026-0574 - Warehouse Plugin
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.
PLUGIN
Warehouse
CVE-2026-0574
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-21484 - Anything Llm Plugin
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
PLUGIN
Anything Llm
CVE-2026-21484
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-21452 - Msgpack Java Plugin
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process…
PLUGIN
Msgpack Java
CVE-2026-21452
Risk Score
Threat Entry
Updated 2026-02-25
CVE-2026-21483 - Listmonk Plugin
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.
PLUGIN
Listmonk
CVE-2026-21483
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21449 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.
PLUGIN
Bagisto
CVE-2026-21449
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21450 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
PLUGIN
Bagisto
CVE-2026-21450
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21451 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes…
PLUGIN
Bagisto
CVE-2026-21451
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21448 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.
PLUGIN
Bagisto
CVE-2026-21448
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21447 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.
PLUGIN
Bagisto
CVE-2026-21447
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21446 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue.
PLUGIN
Bagisto
CVE-2026-21446
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21445 - Langflow Plugin
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.
PLUGIN
Langflow
CVE-2026-21445
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-0571 - Warehouse Plugin
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.
PLUGIN
Warehouse
CVE-2026-0571
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21440 - Core Plugin
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
PLUGIN
Core
CVE-2026-21440
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21433 - Emlog Plugin
Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21433
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21432 - Emlog Plugin
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21432
Risk Score
Threat Entry
Updated 2026-02-25
CVE-2026-21444 - Libtpms Plugin
libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available.
PLUGIN
Libtpms
CVE-2026-21444
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21430 - Emlog Plugin
Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21430
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0570 - Online Music Site Plugin
A vulnerability was found in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Frontend/Feedback.php. Performing a manipulation of the argument fname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
PLUGIN
Online Music Site
CVE-2026-0570
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0569 - Online Music Site Plugin
A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
PLUGIN
Online Music Site
CVE-2026-0569
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21431 - Emlog Plugin
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21431
Risk Score