CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

751 matches found

EUVD-2026-38669

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...

4.3CVSS5.9AI score0.00146EPSS

Exploits0References6

EUVD•added 3 days ago•4 views

EUVD-2026-38503

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...

5.7AI score0.00304EPSS

Exploits0References1

CVE•added 3 days ago•9 views

CVE-2026-44960

Vulnerability summary (CVE-2026-44960) : A stored XSS exists in Revive Adserver where malicious content placed in the username could be executed when an admin views audit log details, due to missing output sanitisation. The issue is triggered by usernames being displayed in the audit log details ...

5.7AI score0.00304EPSS

Exploits0References1

Cvelist•added 3 days ago•31 views

CVE-2026-44960

0.00304EPSS

Exploits0References1

OSV•added 2026/06/12 3:4 p.m.•6 views

GHSA-6JQ6-X4CX-QVCM Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)

Summary The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig's auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction's...

5.1CVSS5.5AI score

Exploits0References3

Github Security Blog•added 2026/06/12 3:4 p.m.•10 views

Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)

5.5AI score

Exploits0References3Affected Software1

CNNVD•added 2026/06/11 12:0 a.m.•12 views

Cerebrate 信息泄露漏洞

Cerebrate is an open-source platform developed by Cerebrate. It aims to act as an interconnected coordinator for trusted contact information providers and other security tools. Prior to version 1.37 of Cerebrate, there was a vulnerability involving information leakage, which stemmed from exposing...

5.1CVSS5.3AI score0.00242EPSS

Exploits0References1

RedhatCVE•added 2026/06/09 2:59 p.m.•8 views

CVE-2026-8078

Stored cross-site scripting in the global settings change log in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the...

4.8CVSS5.2AI score0.00143EPSS

Exploits0References1

Cvelist•added 2026/06/09 1:11 p.m.•31 views

CVE-2026-11792 389-ds-base: 389-ds-base: heap buffer overflow in audit log password masking (create_masked_entry_string)

A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the createmaskedentrystring function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged requiri...

3.3CVSS0.00267EPSS

Exploits0References4

Tenable Nessus•added 2026/06/09 12:0 a.m.•7 views

Linux Distros Unpatched Vulnerability : CVE-2026-11792

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the createmaskedentrystring function in auditlog.c copies a...

3.3CVSS5.6AI score0.00267EPSS

Exploits0References4

OSV•added 2026/06/08 11:35 p.m.•8 views

GHSA-QM33-P5P9-F8VG nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

7.1CVSS5.5AI score0.00043EPSS

Exploits0References4

Github Security Blog•added 2026/06/08 11:35 p.m.•9 views

nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

5.5AI score0.00043EPSS

Exploits0References4Affected Software1

NVD•added 2026/06/08 1:16 p.m.•10 views

CVE-2026-8078

4.8CVSS0.00143EPSS

Exploits0References1

OSV•added 2026/06/08 1:16 p.m.•5 views

UBUNTU-CVE-2026-8078

4.8CVSS5.2AI score0.00143EPSS

Exploits0References3

Vulnrichment•added 2026/06/08 12:6 p.m.•8 views

CVE-2026-8078 Fix stored XSS in global settings change log

4.8CVSS5.2AI score0.00143EPSS

Exploits0References1

Cvelist•added 2026/06/08 12:6 p.m.•41 views

CVE-2026-8078 Fix stored XSS in global settings change log

4.8CVSS0.00143EPSS

Exploits0References1

CVE•added 2026/06/08 12:6 p.m.•27 views

CVE-2026-8078

CVE-2026-8078 is a stored cross-site scripting vulnerability in Checkmk’s global settings change log. It affects Checkmk versions <2.5.0p5, <2.4.0p31,

4.8CVSS5.2AI score0.00143EPSS

Exploits0References1Affected Software1

EUVD•added 2026/06/08 12:6 p.m.•9 views

EUVD-2026-35052

4.8CVSS5.2AI score0.00143EPSS

Exploits0References1

Positive Technologies•added 2026/06/08 12:0 a.m.•9 views

PT-2026-47286

4.8CVSS5.2AI score0.00143EPSS

Exploits0References2

Positive Technologies•added 2026/06/08 12:0 a.m.•9 views

PT-2026-47623

Name of the Vulnerable Software and Affected Versions nebula-mesh versions prior to 0.3.1 Description The handleGetAuditLog function in internal/api/audit.go fails to perform an administrative privilege check. While the endpoint is protected by bearer authentication, any valid operator API key...

7.1CVSS5.9AI score0.00043EPSS

Exploits0References6

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by