CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

119853 matches found

ECT Home Page Products - Reflected XSS

ECT Home Page Products WordPress plugin through 1.9 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such as admin, exploit...

6.1CVSS7.2AI score0.0057EPSS

Exploits1References1

Nuclei•added yesterday•26 views

bloofoxCMS v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit. id: CVE-2023-34752 info: name: bloofoxCMS v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | bloofox v0.5.2.1 was...

9.8CVSS7.3AI score0.05459EPSS

Exploits1References5

Nuclei•added yesterday•42 views

Ninja Forms < 3.6.26 - Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin id: CVE-2023-37979 info: name: Ninja Forms 3.6.26 - Cross-Site Scripting author: r3Y3r53 severity:...

7.1CVSS7AI score0.0601EPSS

Exploits6References5

Nuclei•added yesterday•54 views

JumpServer < 3.10.0 - Open Redirect

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks...

6.1CVSS5.7AI score0.01057EPSS

Exploits0References2

Nuclei•added yesterday•6 views

Custom Field Manager WordPress - Cross-Site Scripting

Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12873 info: name: Custom Field Manager...

6.1CVSS7.3AI score0.0053EPSS

Exploits1References2

Nuclei•added yesterday•56 views

pyload - Log Injection

A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. id: CVE-2024-21645 info: name: pyload - Log Injection author: isacaya severity: medium description: | A log injection...

5.3CVSS6.2AI score0.24513EPSS

Exploits1References3

Nuclei•added yesterday•18 views

SickChill - Open Redirect

SickChill's login endpoint's 'next' parameter accepts arbitrary content, allowing authenticated attackers to perform open redirects, but this was fixed in commit c7128a8946c3701df95c285810eb75b2de18bf82 by redirecting to a default page. id: CVE-2024-53995 info: name: SickChill - Open Redirect...

4.8CVSS6AI score0.00935EPSS

Exploits0References6

Nuclei•added yesterday•16 views

DevDojo Voyager <=1.8.0 - Cross-Site Scripting

DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed. id: CVE-2024-55416 info: name: DevDojo Voyager =1.8.0 - Cross-Site Scripting author:...

3.5CVSS7.6AI score0.23851EPSS

Exploits1References4

Nuclei•added yesterday•25 views

WordPress GN Publisher <1.5.6 - Cross-Site Scripting

WordPress GN Publisher plugin before 1.5.6 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow th...

6.1CVSS6.7AI score0.0126EPSS

Exploits3References5

Nuclei•added yesterday•46 views

Gibbon v25.0.0 - Cross-Site Scripting

Multiple Cross-Site Scripting XSS vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code. id: CVE-2023-34599 info: name: Gibbon v25.0.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Multiple Cross-Site...

6.1CVSS6.6AI score0.01687EPSS

Exploits1References5

Nuclei•added yesterday•37 views

Tree Page View Plugin < 1.6.7 - Cross-Site Scripting

The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the posttype parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute...

7.1CVSS6.8AI score0.03995EPSS

Exploits3References5

Nuclei•added yesterday•25 views

OPNsense - Cross-Site Scripting

A cross-site scripting XSS vulnerability in the act parameter of systemcertmanager.php in OPNsense before 23.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. id: CVE-2023-39002 info: name: OPNsense - Cross-Site Scripting author: Herry severity: medium description...

6.1CVSS6.5AI score0.01162EPSS

Exploits1References3

Nuclei•added yesterday•22 views

Custom 404 Pro < 3.7.3 - Cross-Site Scripting

Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker t...

6.1CVSS6.7AI score0.0171EPSS

Exploits2References5

Nuclei•added yesterday•33 views

osTicket < v1.16.6 - Cross-Site Scripting

Cross-site Scripting XSS - Generic in GitHub repository osticket/osticket prior to v1.16.6. id: CVE-2023-1318 info: name: osTicket v1.16.6 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Cross-site Scripting XSS - Generic in GitHub repository osticket/osticket prior to...

5.4CVSS6AI score0.01015EPSS

Exploits1References2

Nuclei•added yesterday•50 views

Cacti < 1.2.25 Insecure Deserialization

Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. id: CVE-2023-30534 info: name: Cacti 1.2.25 Insecure Deserialization author: k0pak4 severity: medium description: | Cacti is an open source...

4.3CVSS6.7AI score0.02569EPSS

Exploits1References5

Nuclei•added yesterday•35 views

MyCryptoCheckout < 2.124 - Cross-Site Scripting

The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. id: CVE-2023-1546 info: name: MyCryptoCheckout 2.124 - Cross-Site Scripting author: Harsh severity: medium description: | The...

6.1CVSS6.8AI score0.0085EPSS

Exploits1References2

Nuclei•added yesterday•26 views

Ditty < 3.1.25 - Cross-Site Scripting

The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-4148 info: name: Ditty 3.1.25 ...

6.1CVSS6.7AI score0.00812EPSS

Exploits2References2

Nuclei•added yesterday•21 views

Blog2Social < 7.2.1 - Cross-Site Scripting

The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin id: CVE-2023-3936 info: name: Blog2Social 7.2.1 - Cross-Site...

6.1CVSS6.3AI score0.0093EPSS

Exploits2References2

Nuclei•added yesterday•66 views

Structurizr on-premises - Cross Site Scripting

Cross-site Scripting XSS - Reflected in GitHub repository structurizr/onpremises prior to 3194. id: CVE-2023-5556 info: name: Structurizr on-premises - Cross Site Scripting author: shankaracharya severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository...

6.1CVSS6.1AI score0.01222EPSS

Exploits1References3

Nuclei•added yesterday•30 views

Video List Manager <= 1.7 - SQL Injection

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. id: CVE-2023-1408 info: name: Video List Manager = 1.7 - SQL Injection author: r3Y3r53 severity: high description: | The...

7.2CVSS7.2AI score0.03229EPSS

Exploits2References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by