Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-14
CVE-2025-14389 - Wpblogsync Plugin
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wpblogsync
CVE-2025-14389
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14301 - Woosa Ai For Woocommerce Plugin
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.
PLUGIN
Woosa Ai For Woocommerce
CVE-2025-14301
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-13627 - Makesweat Plugin
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Makesweat
CVE-2025-13627
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-12178 - Spiceforms Form Builder Plugin
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spiceforms Form Builder
CVE-2025-12178
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22718 - CLI VSCode Extension Plugin
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
PLUGIN
CLI VSCode Extension
CVE-2026-22718
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-22686 - Enclave Plugin
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function…
PLUGIN
Enclave
CVE-2026-22686
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0716 - Red Hat Enterprise Linux 10 Plugin
A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.
PLUGIN
Red Hat Enterprise Linux 10
CVE-2026-0716
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-23478 - cal.com Plugin
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
PLUGIN
cal.com
CVE-2026-23478
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22871 - Guarddog Plugin
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.
PLUGIN
Guarddog
CVE-2026-22871
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22870 - Guarddog Plugin
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.
PLUGIN
Guarddog
CVE-2026-22870
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22869 - Eigent Plugin
Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases.
PLUGIN
Eigent
CVE-2026-22869
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-22861 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-22861
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22868 - Go Ethereum Plugin
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
PLUGIN
Go Ethereum
CVE-2026-22868
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2026-22862 - Go Ethereum Plugin
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.
PLUGIN
Go Ethereum
CVE-2026-22862
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21303 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21303
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21299 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21299
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21298 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21298
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21302 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21302
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21301 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21301
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21300 - Substance3D - Modeler Plugin
Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
PLUGIN
Substance3D - Modeler
CVE-2026-21300
Risk Score