Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,024
Critical923
High3,044
Medium10,857
Reset
Showing 1581-1600 of 15024 records
Threat Entry Updated 2026-01-30

CVE-2026-23727 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23727

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23726 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23726

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23724 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23724

MEDIUM CVSS 4.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23645 - Siyuan Plugin

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

PLUGIN Siyuan

CVE-2026-23645

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23634 - Pepr Plugin

Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.

PLUGIN Pepr

CVE-2026-23634

UNKNOWN CVSS 0.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-23535 - Wlc Plugin

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.

PLUGIN Wlc

CVE-2026-23535

HIGH CVSS 8.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-01

CVE-2026-23490 - Pyasn1 Plugin

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

PLUGIN Pyasn1

CVE-2026-23490

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-0629 - VIGI C230I Mini Plugin

Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security.

PLUGIN VIGI C230I Mini

CVE-2026-0629

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-23523 - Dive Plugin

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.

PLUGIN Dive

CVE-2026-23523

CRITICAL CVSS 9.6 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23529 - Bigquery Connector For Apache Kafka Plugin

Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration…

PLUGIN Bigquery Connector For Apache Kafka

CVE-2026-23529

HIGH CVSS 7.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-10

CVE-2026-0949 - Postgres Enterprise Manager (PEM) Plugin

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.

PLUGIN Postgres Enterprise Manager (PEM)

CVE-2026-0949

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23528 - Distributed Plugin

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the…

PLUGIN Distributed

CVE-2026-23528

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-22782 - Rustfs Plugin

RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.

PLUGIN Rustfs

CVE-2026-22782

LOW CVSS 2.9 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-0695 - PSA Plugin

In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user’s browser when the affected content is displayed.

PLUGIN PSA

CVE-2026-0695

HIGH CVSS 8.7 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-0696 - PSA Plugin

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

PLUGIN PSA

CVE-2026-0696

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0616 - TheLibrarian.io Plugin

TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0616

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-0613 - TheLibrarian.io Plugin

The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions.

PLUGIN TheLibrarian.io

CVE-2026-0613

HIGH CVSS 7.5 2026-01-16
Open Full Technical Breakdown
Scroll to top