Lucene search
+L

20242 matches found

Vulnrichment
Vulnrichment
added 2026/07/06 9:0 p.m.8 views

CVE-2026-59711 showdown - Cross-Site Scripting via Unescaped Metadata Title in completeHTMLDocument

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS6AI score0.00187EPSS
Exploits0References3
NVD
NVD
added 2026/07/06 8:16 p.m.10 views

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.4CVSS0.00172EPSS
Exploits0References4
OSV
OSV
added 2026/07/06 8:16 p.m.6 views

DEBIAN-CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.4CVSS5.8AI score0.00172EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/07/06 7:19 p.m.10 views

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.4CVSS5.8AI score0.00172EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:19 p.m.8 views

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.1CVSS5.8AI score0.00172EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/07/06 7:19 p.m.6 views

EUVD-2026-41904

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.1CVSS5.8AI score0.00172EPSS
Exploits0References4
OSV
OSV
added 2026/07/06 7:19 p.m.5 views

CVE-2026-58402 Hugo default code block renderer XSS via unescaped code-fence language

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.1CVSS5.9AI score0.00172EPSS
Exploits0References6
AlpineLinux
AlpineLinux
added 2026/07/06 7:19 p.m.9 views

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out...

5.4CVSS5.9AI score0.00172EPSS
Exploits0References4
NVD
NVD
added 2026/07/06 8:16 a.m.11 views

CVE-2026-11855

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web...

8.8CVSS0.00301EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/06 6:0 a.m.6 views

EUVD-2026-41820

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web...

8.8CVSS6.1AI score0.00301EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 6:0 a.m.6 views

CVE-2026-11855

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web...

8.8CVSS6.1AI score0.00301EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/07/03 7:7 a.m.10 views

CVE-2026-58038

A flaw was found in the Wikimedia Foundation Timeline component. This cross-site scripting XSS vulnerability allows a remote attacker to inject malicious scripts into web pages. Successful exploitation could lead to significant impacts such as information disclosure, session hijacking, or...

6.1CVSS5.7AI score0.00169EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/03 6:50 a.m.7 views

CVE-2026-9148

The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...

7.2CVSS6.1AI score0.00305EPSS
Exploits0References12
NVD
NVD
added 2026/07/03 6:16 a.m.9 views

CVE-2026-9626

The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the postcomment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the postcomment function, which passes the attacker-controlled...

6.4CVSS0.00228EPSS
Exploits0References6
CVE
CVE
added 2026/07/03 4:30 a.m.22 views

CVE-2026-9626

The CVE-2026-9626 entry concerns the WordPress JSON API User plugin (

6.4CVSS5.9AI score0.00228EPSS
Exploits0References6
CVE
CVE
added 2026/07/03 4:30 a.m.23 views

CVE-2026-8489

The CVE-2026-8489 case involves the WordPress plugin Ultimate Member (User Profile, Registration, Login, etc.). Affected: all versions up to 2.11.4. Vulnerability: Stored Cross-Site Scripting via the about_me field in user profiles, caused by insufficient input sanitization and output escaping. I...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References11
NVD
NVD
added 2026/07/03 2:16 a.m.7 views

CVE-2026-12734

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'connectorWidth' Block Attribute in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes i...

6.4CVSS0.00206EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:38 p.m.8 views

CVE-2026-58579

RAGFlow before 0.26.3 stores an agent pipeline DSL node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalizedsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name int...

5.4CVSS5.9AI score0.00182EPSS
Exploits0References6
Debian CVE
Debian CVE
added 2026/07/02 7:37 p.m.8 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.9AI score0.0024EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:37 p.m.9 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.7AI score0.0024EPSS
Exploits0References5
Rows per page
Query Builder