CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

84 matches found

Zarinpal Paid Download - Reflected XSS

Zarinpal Paid Download WordPress plugin v2.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such as admin, exploit requires...

6.1CVSS7.2AI score0.00564EPSS

Exploits1References2

NVD•added 3 days ago•6 views

CVE-2026-49220

Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header durin...

5.7CVSS0.00194EPSS

Exploits0References1

CVE•added 3 days ago•6 views

CVE-2026-49220

CVE-2026-49220 affects Jellyfin up to version 10.11.8, where a vulnerability in the AuthenticateByName flow allows a non-privileged user to inject HTML/JavaScript in the Client header that executes in an Administrative user session when accessing a user’s detail from the dashboard. This is a user...

5.7CVSS6.1AI score0.00194EPSS

Exploits0References1

NVD•added 2026/05/27 2:16 a.m.•18 views

CVE-2026-6565

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input...

6.4CVSS0.00156EPSS

Exploits0References2

Cvelist•added 2026/05/13 2:22 p.m.•30 views

CVE-2020-37225 Powie's WHOIS Domain Check 0.9.31 Persistent Cross-Site Scripting

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in t...

6.4CVSS0.00243EPSS

Exploits0References5

CVE•added 2026/05/13 2:22 p.m.•12 views

CVE-2020-37225

Powie’s WHOIS Domain Check 0.9.31 has a persistent cross-site scripting (XSS) vulnerability in pwhois_settings.php, exploitable by authenticated attackers via unsanitized input in plugin settings (textarea/input fields). This can execute JavaScript in the admin context and may enable privilege es...

6.4CVSS5.9AI score0.00243EPSS

Exploits0References5

Vulnrichment•added 2026/05/13 2:22 p.m.•7 views

CVE-2020-37225 Powie's WHOIS Domain Check 0.9.31 Persistent Cross-Site Scripting

6.4CVSS5.9AI score0.00243EPSS

Exploits0References5

ATTACKERKB•added 2026/04/09 2:25 a.m.•2 views

CVE-2026-3568

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS6AI score0.00226EPSS

Exploits0References9

OSV•added 2026/04/01 9:54 p.m.•8 views

GHSA-R4V5-RWR2-Q7R4 CI4MS: Logs Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM Blind XSS via Logs Interface Rendering Administrative Context Execution - Stored Cross-Site Scripting Blind XSS via Unsafe Rendering of User-Controlled Logged Data Description The application renders user-controlled input unsafely within the logs interface. If an...

9.1CVSS6.2AI score0.0038EPSS

Exploits1References4

EUVD•added 2026/03/21 6:30 a.m.•4 views

EUVD-2026-14014

The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing...

7.2CVSS5.8AI score0.00282EPSS

Exploits0References4

NVD•added 2026/03/21 4:17 a.m.•4 views

CVE-2026-2440

7.2CVSS0.00282EPSS

Exploits0References3

Positive Technologies•added 2026/03/21 12:0 a.m.•4 views

PT-2026-26837

7.2CVSS5.8AI score0.00282EPSS

Exploits0References4

CVE•added 2026/03/15 6:34 p.m.•14 views

CVE-2015-20115

CVE-2015-20115 concerns RealtyScript 4.0.2 from Next Click Ventures. The connected documents confirm a stored cross-site scripting issue via the file upload parameter in admin/tools.php, caused by inadequate sanitization of uploaded files. Attackers could place JavaScript in uploads that would ex...

7.2CVSS5.9AI score0.00267EPSS

Exploits1References3Affected Software1

RedhatCVE•added 2026/03/05 7:30 p.m.•5 views

CVE-2026-20062

A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance ASA Software in multiple context mode could allow an authenticated, local attacker with administrative privileges in one context to copy files to or from another context, including configuration files. This...

7.2CVSS6AI score0.0012EPSS

Exploits0References1

NVD•added 2026/03/04 6:16 p.m.•8 views

CVE-2026-20062

7.2CVSS0.0012EPSS

Exploits0References1

CVE•added 2026/03/04 5:22 p.m.•56 views

CVE-2026-20062

The CVE-2026-20062 entry concerns Cisco Secure Firewall ASA software in multiple context mode. Vulnerability: improper access controls on SCP operations when the CiscoSSH stack is enabled allow an authenticated user with admin privileges only in a non-admin context to copy files to/from other con...

7.2CVSS6AI score0.0012EPSS

Exploits0References1

Vulnrichment•added 2026/03/04 5:22 p.m.•5 views

CVE-2026-20062

7.2CVSS6AI score0.0012EPSS

Exploits0References1

ATTACKERKB•added 2026/03/04 5:22 p.m.•6 views

CVE-2026-20062

7.2CVSS6AI score0.0012EPSS

Exploits0References2Affected Software1

Cvelist•added 2026/03/04 5:22 p.m.•31 views

CVE-2026-20062