CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

238 matches found

Positive Technologies•added 2026/01/24 12:0 a.m.•2 views

PT-2026-4574

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the emb...

6.4CVSS5.9AI score0.00016EPSS

Exploits0References3

OSV•added 2026/01/23 4:16 a.m.•2 views

CVE-2026-0768

Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code...

9.8CVSS6.6AI score

Exploits0References1

Cvelist•added 2026/01/23 3:28 a.m.•25 views

CVE-2026-0768 Langflow code Code Injection Remote Code Execution Vulnerability

9.8CVSS0.0973EPSS

Exploits1References1

Snyk•added 2026/01/05 3:40 a.m.•2 views

Remote Code Execution (RCE)

Overview Affected versions of this package are vulnerable to Remote Code Execution RCE over the /expr endpoint. An authenticated user can execute code or disrupt service by sending malicious serialized data as the code parameter, which is passed to expr.Exec and executed as an expression without...

8.8CVSS6.8AI score0.00036EPSS

Exploits0References2

Snyk•added 2026/01/05 3:40 a.m.•5 views

Remote Code Execution (RCE)

8.8CVSS6.8AI score0.00036EPSS

Exploits0References2

Snyk•added 2026/01/05 3:40 a.m.•2 views

Remote Code Execution (RCE)

8.8CVSS6.8AI score0.00036EPSS

Exploits0References2

Vulnrichment•added 2025/12/29 9:32 p.m.•1 views

CVE-2025-15206 Campcodes Supplier Management System add_area.php sql injection

A flaw has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /admin/addarea.php. Executing a manipulation of the argument txtAreaCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be us...

7.5CVSS7.1AI score0.0002EPSS

Exploits1References5

RedhatCVE•added 2025/12/16 8:44 p.m.•2 views

CVE-2023-53892

Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin'...

8.6CVSS8.6AI score0.01019EPSS

Exploits1References1

Cvelist•added 2025/12/13 4:31 a.m.•24 views

CVE-2025-14539 Shortcode Loader <= 1.0 - Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter

The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

5.4CVSS0.00194EPSS

Exploits0References2

Cvelist•added 2025/12/10 11:16 a.m.•21 views

CVE-2025-41358 Direct reference to insecure objects (IDOR) in CronosWeb from CronosWeb i2A

Direct Object Reference Vulnerability IDOR in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in...

8.3CVSS0.00055EPSS

Exploits0References1

Positive Technologies•added 2025/12/10 12:0 a.m.•2 views

PT-2025-50322

8.3CVSS6.6AI score0.00055EPSS

Exploits0References2

RedhatCVE•added 2025/11/22 8:35 a.m.•4 views

CVE-2025-12135

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csscode' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the savecustomecode function. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS4.7AI score0.00229EPSS

Exploits0References1

Cvelist•added 2025/11/21 7:31 a.m.•4 views

CVE-2025-12135 WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting

7.2CVSS0.00229EPSS

Exploits0References7

Positive Technologies•added 2025/11/21 12:0 a.m.•2 views

PT-2025-47691

Name of the Vulnerable Software and Affected Versions WPBookit versions up to and including 1.0.6 Description The WPBookit plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to a missing capability check on the save custome code function, allowing unauthenticated...

7.2CVSS5.5AI score0.00229EPSS

Exploits0References11

Positive Technologies•added 2025/11/19 12:0 a.m.•0 views

PT-2025-47475

Name of the Vulnerable Software and Affected Versions i-Educar versions prior to 2.10.0 Description i-Educar is school management software with a flaw that allows an authenticated attacker to execute arbitrary SQL commands against the application's database. This is due to a time-based SQL...

7.2CVSS7.9AI score0.00045EPSS

Exploits1References7

RedhatCVE•added 2025/10/31 12:13 a.m.•1 views

CVE-2025-56313

A Reflected Cross-Site Scripting XSS vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 inclusive. This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an...

6.1CVSS6.2AI score0.00042EPSS

Exploits0References1

CNVD•added 2025/10/31 12:0 a.m.•2 views

IPFire Cross-Site Scripting Vulnerability (CNVD-2025-27637)

IPFire is an open source Linux distribution from the IPFire organization. It is mainly used as a router and firewall. A cross-site scripting vulnerability exists in IPFire that stems from the COUNTRYCODE parameter not being properly cleaned and encoded, which can be exploited by an attacker to...

5.4CVSS6.3AI score0.00034EPSS

Exploits0References1