Threat intel

What's happening in cyber, in plain English

We pull from NCSC, CISA, Have I Been Pwned and the NVD every six hours, then summarise each item into what it is, who it affects, and what you can do about it.

SeverityAll Critical High Medium Low Info

KindAll Alert Data breach Vulnerability Advisory Report

SourceAll CISA — Known Exploited Vulnerabilities (1583)NVD — high/critical CVEs (rolling 7d) (1233)Have I Been Pwned — public breach catalog (973)Microsoft MSRC — security update guide (99)Cisco PSIRT — security advisories (52)CISA — cybersecurity advisories (40)FCA — UK unauthorised firms & scam warnings (36)NCSC — news & alerts (15)NCSC — weekly threat report (0)ICO — UK data-breach trends (manual) (0)Action Fraud — UK fraud and cybercrime alerts (0)

CriticalCVENVD — high/critical CVEs (rolling 7d)· 14 Apr 2026· summary pending
CVE-2026-35031 — Jellyfin is an open source self hosted media server. Versions prior to 10.11.7…
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extens
CriticalCVENVD — high/critical CVEs (rolling 7d)· 10 Apr 2026· summary pending
CVE-2026-32892 — Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, C…
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec(
CriticalCVENVD — high/critical CVEs (rolling 7d)· 9 Apr 2026· summary pending
CVE-2026-39980 — OpenCTI is an open source platform for managing cyber threat intelligence knowl…
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with the Manage customization capability can run arbitrary JavaScript in th
CriticalCVENVD — high/critical CVEs (rolling 7d)· 8 Apr 2026· summary pending
CVE-2026-39860 — Nix is a package manager for Linux and other Unix systems. A bug in the fix for…
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations)
CriticalCVENVD — high/critical CVEs (rolling 7d)· 7 Apr 2026· summary pending
CVE-2026-39847 — Emmett is a full-stack Python web framework designed with simplicity. From 2.5.…
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett_
CriticalCVENVD — high/critical CVEs (rolling 7d)· 6 Apr 2026· summary pending
CVE-2026-35050 — text-generation-webui is an open-source web interface for running Large Languag…
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py"
CriticalCVENVD — high/critical CVEs (rolling 7d)· 3 Apr 2026· summary pending
CVE-2026-28766 — A specific endpoint exposes all user account information for registered Gardyn…
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 3 Apr 2026· summary pending
CVE-2026-25197 — A specific endpoint allows authenticated users to pivot to other user profiles…
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 2 Apr 2026· summary pending
CVE-2026-34717 — OpenProject is an open-source, web-based project management software. Prior to…
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patch
CriticalCVENVD — high/critical CVEs (rolling 7d)· 2 Apr 2026· summary pending
CVE-2026-2701 — Authenticated user can upload a malicious file to the server and execute it, wh…
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 21 Mar 2026· summary pending
CVE-2019-25568 — Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows…
Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a mali
CriticalCVENVD — high/critical CVEs (rolling 7d)· 9 Sept 2025· summary pending
CVE-2025-47579 — Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photo…
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 20 Aug 2025· summary pending
CVE-2025-54677 — Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online B…
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by
CriticalCVENVD — high/critical CVEs (rolling 7d)· 17 Jun 2025· summary pending
CVE-2025-48274 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Inject…
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal wp-job-portal allows Blind SQL Injection.This issue affects WP Job Portal: from n/a through <= 2.3.2.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 23 May 2025· summary pending
CVE-2025-47658 — Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions E…
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Upload a Web Shell to a Web Server.This issue affects ELEX WordPress HelpDesk
CriticalCVENVD — high/critical CVEs (rolling 7d)· 7 May 2025· summary pending
CVE-2025-47549 — Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF…
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 3 Mar 2025· summary pending
CVE-2025-26988 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Inject…
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows SQL Injection.This issue affects SMS Alert Order Notifications: from n/a through <= 3.7.8.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 18 Dec 2024· summary pending
CVE-2024-56057 — Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPL…
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 18 Dec 2024· summary pending
CVE-2024-56054 — Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPL…
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 18 Dec 2024· summary pending
CVE-2024-56052 — Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPL…
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.2.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 18 Dec 2024· summary pending
CVE-2024-56050 — Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPL…
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS wplms_plugin allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through < 1.9.9.5.3.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 18 Nov 2024· summary pending
CVE-2024-52429 — Unrestricted Upload of File with Dangerous Type vulnerability in AntonHoelstad…
Unrestricted Upload of File with Dangerous Type vulnerability in AntonHoelstad WP Quick Setup wp-quick-setup allows Upload a Web Shell to a Web Server.This issue affects WP Quick Setup: from n/a through <= 2.0.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 18 Nov 2024· summary pending
CVE-2024-52427 — Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with…
Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Server Side Include (SSI) Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.3.11.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 14 Nov 2024· summary pending
CVE-2024-52393 — Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast…
Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.This issue affects Podlove Podcast Publisher: from n/a through <= 4.1.15.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 4 Nov 2024· summary pending
CVE-2024-50530 — Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutio…
Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.This issue affects Stars SMTP Mailer: from n/a through <= 2.2.1.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 4 Nov 2024· summary pending
CVE-2024-50529 — Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Train…
Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training – Courses training allows Upload a Web Shell to a Web Server.This issue affects Training – Courses: from n/a through <= 2.0.1.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 4 Nov 2024· summary pending
CVE-2024-51661 — Improper Neutralization of Special Elements used in an OS Command ('OS Command…
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Command Injection.This issue affects Media LIbrary Assistant: from n/a through <= 3
CriticalCVENVD — high/critical CVEs (rolling 7d)· 20 Oct 2024· summary pending
CVE-2024-49331 — Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutio…
Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Property Lot Management System plms allows Upload a Web Shell to a Web Server.This issue affects Property Lot Management System: from n/a through <= 4.2.38.
CriticalCVENVD — high/critical CVEs (rolling 7d)· 16 Oct 2024· summary pending
CVE-2024-49271 — Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited…
Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command Injection.This issue affects Unlimited Elements For Elementor (Free Widgets
CriticalCVENVD — high/critical CVEs (rolling 7d)· 29 Aug 2024· summary pending
CVE-2024-43955 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')…
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum Droip droip allows Path Traversal.This issue affects Droip: from n/a through < 2.5.2.

Sources are pulled directly from each provider's public feed and never modified. AI summaries are produced for plain-English readability and are clearly labelled — always follow the source link for the authoritative advisory.