Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-05
CVE-2026-1112 - PublicCMS Plugin
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
PublicCMS
CVE-2026-1112
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-1111 - PublicCMS Plugin
A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
PublicCMS
CVE-2026-1111
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2026-1110 - Librtsp Plugin
A flaw has been found in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. This affects the function rtsp_parse_method. This manipulation causes buffer overflow. It is possible to launch the attack on the local host. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Librtsp
CVE-2026-1110
Risk Score
Threat Entry
Updated 2026-02-17
CVE-2026-1109 - Librtsp Plugin
A vulnerability was detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The impacted element is the function rtsp_parse_request. The manipulation results in buffer overflow. Attacking locally is a requirement. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Librtsp
CVE-2026-1109
Risk Score
Threat Entry
Updated 2026-02-17
CVE-2026-1108 - Librtsp Plugin
A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Librtsp
CVE-2026-1108
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1107 - EyouCMS Plugin
A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
EyouCMS
CVE-2026-1107
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1106 - LMS Plugin
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
LMS
CVE-2026-1106
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-1105 - EasyCMS Plugin
A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
EasyCMS
CVE-2026-1105
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1066 - Kodbox Plugin
A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Kodbox
CVE-2026-1066
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1064 - Bastillion Plugin
A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Bastillion
CVE-2026-1064
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1062 - TMS Plugin
A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used.
PLUGIN
TMS
CVE-2026-1062
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1063 - Bastillion Plugin
A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Bastillion
CVE-2026-1063
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1061 - TMS Plugin
A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used.
PLUGIN
TMS
CVE-2026-1061
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-1059 - Wms Plugin
A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Wms
CVE-2026-1059
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-1050 - Digital-Infrastructure Plugin
A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
PLUGIN
Digital-Infrastructure
CVE-2026-1050
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1049 - LigeroSmart Plugin
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
PLUGIN
LigeroSmart
CVE-2026-1049
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1048 - LigeroSmart Plugin
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
PLUGIN
LigeroSmart
CVE-2026-1048
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0725 - Integrate Dynamics 365 Crm Plugin
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Integrate Dynamics 365 Crm
CVE-2026-0725
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-8615 - Cubewp Framework Plugin
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cubewp Framework
CVE-2025-8615
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14078 - Woocommerce For Paygent Payment Main Plugin
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint.
PLUGIN
Woocommerce For Paygent Payment Main
CVE-2025-14078
Risk Score