Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,024
Critical923
High3,044
Medium10,857
Reset
Showing 1701-1720 of 15024 records
Threat Entry Updated 2026-01-23

CVE-2026-22909 - TDC-X401GL Plugin

Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.

PLUGIN TDC-X401GL

CVE-2026-22909

HIGH CVSS 7.5 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-22911 - TDC-X401GL Plugin

Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device.

PLUGIN TDC-X401GL

CVE-2026-22911

MEDIUM CVSS 5.3 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-22912 - TDC-X401GL Plugin

Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users.

PLUGIN TDC-X401GL

CVE-2026-22912

MEDIUM CVSS 4.3 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-0976 - Red Hat Build of Keycloak Plugin

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

PLUGIN Red Hat Build of Keycloak

CVE-2026-0976

LOW CVSS 3.7 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2025-14457 - Drag And Drop Multiple File Upload For Contact Form 7 Plugin

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled.

PLUGIN Drag And Drop Multiple File Upload For Contact Form 7

CVE-2025-14457

LOW CVSS 3.7 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-02-24

CVE-2025-14448 - Wp Members Membership Plugin

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Members Membership

CVE-2025-14448

MEDIUM CVSS 5.4 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-0421 - ThinkPad L13 Gen 6 2 in 1 BIOS Plugin

A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as “On” in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode.

PLUGIN ThinkPad L13 Gen 6 2 in 1 BIOS

CVE-2026-0421

HIGH CVSS 7.0 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-0600 - Nexus Repository Plugin

Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default.

PLUGIN Nexus Repository

CVE-2026-0600

MEDIUM CVSS 6.2 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2025-12166 - Simply Schedule Appointments Booking Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Simply Schedule Appointments Booking

CVE-2025-12166

HIGH CVSS 7.5 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-0601 - Nexus Repository Plugin

A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction.

PLUGIN Nexus Repository

CVE-2026-0601

MEDIUM CVSS 5.1 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-23512 - Sumatrapdf Plugin

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution.

PLUGIN Sumatrapdf

CVE-2026-23512

HIGH CVSS 8.6 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-0861 - Glibc Plugin

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for…

PLUGIN Glibc

CVE-2026-0861

HIGH CVSS 8.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2026-23492 - Pimcore Plugin

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is…

PLUGIN Pimcore

CVE-2026-23492

HIGH CVSS 8.8 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-28

CVE-2026-23498 - Shopware Plugin

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

PLUGIN Shopware

CVE-2026-23498

HIGH CVSS 7.2 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-23497 - Lms Plugin

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.

PLUGIN Lms

CVE-2026-23497

LOW CVSS 1.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23477 - Rocket.Chat Plugin

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.

PLUGIN Rocket.Chat

CVE-2026-23477

HIGH CVSS 7.7 2026-01-14
Open Full Technical Breakdown
Scroll to top