Lucene search
K

255 matches found

CVE
CVE
added 5 hours ago7 views

CVE-2026-12511

CVE-2026-12511 affects the AI Engine WordPress plugin prior to 3.5.5. The flaw occurs when a user-supplied filename used for a downloaded file is not sanitized, enabling authenticated users with editor-level access to perform path traversal and write attacker-controlled bytes to an arbitrary loca...

6.2AI score
Exploits0References1
CVE
CVE
added 3 days ago14 views

CVE-2026-11591

CVE-2026-11591 affects the WordPress plugin Widgets for Google Reviews up to version 13.3. It is a Stored Cross‑Site Scripting (XSS) vulnerability triggered via admin settings, caused by insufficient input sanitization and output escaping in the parameters fomo-title and fomo-text . Exploitation ...

4.4CVSS6.2AI score0.00251EPSS
Exploits0References10
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42613

n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an HTTP Request node's pagination expression and...

7.1CVSS5.9AI score0.00303EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added last week5 views

CVE-2026-55647

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable...

5.1CVSS6AI score0.00269EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54862

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.9.0 through 5.9.x Description Control panel users with entry editing permissions can execute unsandboxed Twig code, which may lead to authenticated Remote Code Execution RCE. The issue occurs during the entry saving proces...

8.7CVSS6AI score0.00293EPSS
Exploits0References9
NVD
NVD
added 2026/06/27 8:16 a.m.11 views

CVE-2026-12399

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS0.00246EPSS
Exploits0References12
NVD
NVD
added 2026/06/23 4:17 p.m.8 views

CVE-2026-54313

n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing...

7.7CVSS0.0026EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 3:46 p.m.6 views

CVE-2026-54302

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the...

7CVSS6AI score0.0021EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/23 3:46 p.m.8 views

EUVD-2026-38477

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the...

7CVSS6AI score0.0021EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 3:44 p.m.19 views

CVE-2026-54301

Summary: CVE-2026-54301 affects n8n prior to certain fixes. An authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type, bypassing the central Content-Security-Policy sandbox header. This allowed a publ...

7CVSS5.9AI score0.00216EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/06/23 3:31 p.m.15 views

CVE-2026-54313

n8n: NoSQL Injection in MongoDB Node Find And Replace Operation (CVE-2026-54313). Affected software: n8n open-source workflow automation platform. Vulnerable component: MongoDB node’s Find And Replace operation prior to version 2.24.0. Root cause: An authenticated user with workflow edit access c...

7.7CVSS5.8AI score0.0026EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/06/23 6:0 a.m.14 views

CVE-2026-7842

The CVE concerns the Infility Global WordPress plugin for WordPress (before 2.15.20). In admin callbacks import_list(), url_detail(), and file_detail(), the plugin does not sanitize or validate the orderby and order parameters before using them in SQL queries, enabling time-based blind SQL inject...

6.8CVSS5.9AI score0.00231EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/18 3:4 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Dom::sanitize function. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious markup as children of unknown HTML/XML tags, which are not properly sanitize...

8.5CVSS5.8AI score0.00409EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50473

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description The 'spreadsheet-fetch' endpoint, specifically within the axiosRequestMake function, improperly validated URLs. It accepted paths containing permitted extensions anywhere in the string and utilize...

5.1CVSS5.9AI score0.00282EPSS
Exploits0References8
CVE
CVE
added 2026/06/13 2:29 a.m.28 views

CVE-2026-12089

The vulnerability CVE-2026-12089 affects the WordPress plugin “LWS Optimize – All-in-One Speed Booster & Cache Tools” up to version 3.3.19. The root cause is in the combine_current_css() function, which trusts href values harvested from page HTML and converts same-site URLs to absolute filesyste...

4.9CVSS5.5AI score0.00336EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/13 2:29 a.m.38 views

CVE-2026-12089 WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read

The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combinecurrentcss function trusting values harvested from page HTML and converting same-site URLs to absolute filesystem...

4.9CVSS0.00336EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 7:56 p.m.18 views

CVE-2026-45106

Weblate (web-based localization tool) is affected by a stored HTML injection/XSS in the live search preview prior to version 2026.5, where unit source and context are rendered without escaping, allowing HTML/CSS that runs in authenticated editors of other users performing a matching search. The i...

4.6CVSS5.3AI score0.00208EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 7:56 p.m.10 views

CVE-2026-45106 Weblate: Stored HTML injection in editor search preview

Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a...

4.6CVSS5.3AI score0.00208EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 7:50 a.m.10 views

CVE-2026-8853 MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above,...

4.4CVSS5.7AI score0.00201EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/10 7:50 a.m.39 views

CVE-2026-8853 MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above,...

4.4CVSS0.00201EPSS
Exploits0References6
Rows per page
Query Builder