CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 3 days ago•11 views

CVE-2026-3722

The CVE concerns the WordPress plugin “Auto Image Attributes From Filename With Bulk Updater” (versions ≤ 4.9). The root cause is insufficient input sanitization and output escaping in attachment metadata, enabling Stored Cross-Site Scripting. Impact: authenticated attackers with Author-level acc...

ATTACKERKB•added 3 days ago•5 views

CVE-2026-3722

EUVD•added 3 days ago•7 views

Exploits0References4

EUVD-2026-33869

Positive Technologies•added 3 days ago•8 views

PT-2026-45687

PyPA•added 4 days ago•3 views

Exploits0References4

PYSEC-0000-CVE-2026-45360

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...

7.3CVSS6AI score0.00083EPSS

Exploits0References3Affected Software1

PyPA•added 4 days ago•4 views

PYSEC-2026-186

7.3CVSS6AI score0.00083EPSS

Exploits0References3Affected Software1

PyPA•added 4 days ago•5 views

PYSEC-2026-181

A Dag author could either a create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process read-path attack — e.g. /etc/passwd or airflow.cfg or b supply a taskid containing .. sequences accepted by the Task SDK's KEYREGEX write-path attack, and...

6.5CVSS5.9AI score0.00092EPSS

Exploits0References3Affected Software1

EUVD•added 4 days ago•7 views

EUVD-2026-33587

6AI score0.00083EPSS

Exploits0References2

Vulnrichment•added 4 days ago•4 views

CVE-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization

6AI score0.00083EPSS

Exploits0References2

Positive Technologies•added 4 days ago•9 views

PT-2026-45374

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserialize reference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler —...

6AI score0.00083EPSS

NVD•added last week•11 views

CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS0.0004EPSS

ATTACKERKB•added last week•6 views

CVE-2026-6275

6.4CVSS5.8AI score0.0004EPSS

Exploits0References7

CVE•added last week•8 views

CVE-2026-6275

CVE-2026-6275 : The StatCounter – Free Real Time Visitor Stats WordPress plugin is vulnerable in versions up to 2.1.1 due to insufficient output escaping in the statcounter_addToTags() function, which is hooked to wp_head. It retrieves the post author’s nickname with the_author_meta() and echoes ...

Cvelist•added last week•32 views

CVE-2026-6275 StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname

6.4CVSS0.0004EPSS

Vulnrichment•added last week•5 views

CVE-2026-6275 StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname

EUVD•added last week•6 views

EUVD-2026-33250

Positive Technologies•added 2026/05/29 12:0 a.m.•6 views

PT-2026-44751

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter addToTags function. The function is hooked to wp he...