CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/05/08 11:10 p.m.•9 views

CVE-2026-42455

CVE-2026-42455 affects Linkwarden (self-hosted, open-source bookmark manager). For versions ≤ 2.14.0, the archive upload endpoint POST /api/v1/archives/[linkId]?format=4 accepts HTML files without sanitizing JavaScript content. When the archive is later retrieved via GET /api/v1/archives/[linkId]...

Vulnrichment•added 2026/05/08 11:10 p.m.•4 views

CVE-2026-42455 LinkWarden: Stored XSS via Client-Side Archive Upload (Unsanitized HTML served from same origin)

Cvelist•added 2026/05/08 11:10 p.m.•39 views

CVE-2026-42455 LinkWarden: Stored XSS via Client-Side Archive Upload (Unsanitized HTML served from same origin)

8.8CVSS0.00458EPSS

EUVD•added 2026/05/08 11:10 p.m.•7 views

EUVD-2026-28872

Positive Technologies•added 2026/05/08 12:0 a.m.•6 views

PT-2026-39223

Name of the Vulnerable Software and Affected Versions Linkwarden versions prior to 2.14.0 Description The archive upload endpoint "POST /api/v1/archives/linkId?format=4" accepts HTML files without sanitizing JavaScript content. When the archive is accessed via "GET...

Snyk•added 2026/05/07 2:34 a.m.•12 views

Exploits0References8

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via inadequate validation of the Origin header during WebSocket connection upgrades. An attacker can gain unauthorized access to sensitive log data by convincing an authenticated user to visit a...

6.9CVSS5.8AI score0.0017EPSS

OSV•added 2026/05/04 9:24 p.m.•4 views

GHSA-RPFR-X88X-XWCW Pelican Web UI Affected by a Privilege Escalation Attack

Background On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any...

9CVSS5.7AI score0.0032EPSS

Exploits0References4

Vulnrichment•added 2026/04/30 12:0 a.m.•2 views

CVE-2026-36956

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

5.5AI score0.00171EPSS

Exploits1References2

NVD•added 2026/04/24 12:16 a.m.•2 views

CVE-2026-25720

A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continu...

6.9CVSS0.00234EPSS

Exploits0References3

Vulnrichment•added 2026/04/23 11:48 p.m.•1 views

CVE-2026-25720 SenseLive X3050 Insufficient session expiration

6.9CVSS5.3AI score0.00234EPSS

Exploits0References3

RedhatCVE•added 2026/04/22 7:22 p.m.•1 views

CVE-2026-40588

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS5.8AI score0.00215EPSS

CVE•added 2026/04/21 5:12 p.m.•8 views

CVE-2026-40588

The CVE-2026-40588 entry concerns blueprintUE: prior to version 4.2.0, its password change form at /profile/{slug}/edit/ lacks a current_password field and does not verify the existing password before applying a new one. If an attacker has a valid authenticated session (via XSS, session hijacking...

8.1CVSS5.8AI score0.00215EPSS

Cvelist•added 2026/04/21 5:12 p.m.•28 views

CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password

8.1CVSS0.00215EPSS

NVD•added 2026/04/17 1:17 a.m.•4 views

CVE-2026-40262

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...

8.7CVSS0.00309EPSS

Exploits0References3

CVE•added 2026/04/13 12:0 a.m.•8 views

CVE-2025-70936

Vtiger CRM 8.4.0 is affected by a reflected XSS in the MailManager module, caused by improper handling of user-controlled input in the _folder parameter. The payload is reflected and executed in an authenticated user session, using a double URL-encoded input. The available connected sources confi...

5.4CVSS5.7AI score0.00138EPSS

Vulnrichment•added 2026/04/13 12:0 a.m.•3 views

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

5.7AI score0.00138EPSS

Cvelist•added 2026/04/13 12:0 a.m.•14 views

CVE-2025-70936

0.00138EPSS

Positive Technologies•added 2026/04/13 12:0 a.m.•3 views

PT-2026-32520

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 8.4.0 Description A reflected cross-site scripting XSS issue exists in the MailManager module, where XSS is a type of attack that injects malicious scripts into a trusted website. Improper handling of user-controlled input i...

5.4CVSS5.5AI score0.00138EPSS

Exploits0References5

Snyk•added 2026/04/10 7:40 p.m.•4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the function parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of a backend user's session by...

4.1CVSS5.8AI score