Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-02
CVE-2026-0858 - net.sourceforge.plantuml:plantuml Plugin
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
PLUGIN
net.sourceforge.plantuml:plantuml
CVE-2026-0858
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-15526 - Fancy Product Designer Plugin
The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Fancy Product Designer
CVE-2025-15526
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-15527 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to.
PLUGIN
Wp Recipe Maker
CVE-2025-15527
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-15370 - And Prevents Security Breaches Plugin
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user.
PLUGIN
And Prevents Security Breaches
CVE-2025-15370
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-14982 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.
PLUGIN
Booking Calendar
CVE-2025-14982
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-14384 - Increase Traffic Plugin
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
PLUGIN
Increase Traffic
CVE-2025-14384
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-12957 - All In One Video Gallery Plugin
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
All In One Video Gallery
CVE-2025-12957
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-12641 - Awesome Support Plugin
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a…
PLUGIN
Awesome Support
CVE-2025-12641
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1023 - Statistics Database System Plugin
Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents.
PLUGIN
Statistics Database System
CVE-2026-1023
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1022 - Statistics Database System Plugin
Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.
PLUGIN
Statistics Database System
CVE-2026-1022
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1021 - Police Statistics Database System Plugin
Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
PLUGIN
Police Statistics Database System
CVE-2026-1021
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1019 - Police Statistics Database System Plugin
Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.
PLUGIN
Police Statistics Database System
CVE-2026-1019
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1018 - Police Statistics Database System Plugin
Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files.
PLUGIN
Police Statistics Database System
CVE-2026-1018
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1020 - Police Statistics Database System Plugin
Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory.
PLUGIN
Police Statistics Database System
CVE-2026-1020
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1011 - Altium Live Plugin
A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim’s browser context.
PLUGIN
Altium Live
CVE-2026-1011
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22863 - Deno Plugin
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.
PLUGIN
Deno
CVE-2026-22863
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1009 - Altium Live Plugin
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
PLUGIN
Altium Live
CVE-2026-1009
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22864 - Deno Plugin
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.
PLUGIN
Deno
CVE-2026-22864
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-1010 - Altium Enterprise Server Plugin
A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.
PLUGIN
Altium Enterprise Server
CVE-2026-1010
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2026-22045 - Traefik Plugin
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
PLUGIN
Traefik
CVE-2026-22045
Risk Score