Lucene search
K

4050 matches found

Nuclei
Nuclei
added yesterday44 views

WordPress FlatPM <3.0.13 - Cross-Site Scripting

WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authenticatio...

5.4CVSS6AI score0.00869EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday77 views

Extreme Management Center 8.4.1.24 - Cross-Site Scripting

Extreme Management Center 8.4.1.24 contains a cross-site scripting vulnerability via a parameter in a GET request. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.4AI score0.03465EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday119 views

H3C SSL VPN <=2022-07-10 - Cross-Site Scripting

H3C SSL VPN 2022-07-10 and prior contains a cookie-based cross-site scripting vulnerability in wnm/login/login.json svpnlang. id: CVE-2022-35416 info: name: H3C SSL VPN =2022-07-10 - Cross-Site Scripting author: 0x240x23elu severity: medium description: | H3C SSL VPN 2022-07-10 and prior contains...

6.1CVSS6.3AI score0.02886EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday71 views

OpenCATS 0.9.6 - Cross-Site Scripting

OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the joborderID parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch...

6.1CVSS6.4AI score0.01278EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday39 views

HPE System Management - Cross-Site Scripting

HPE System Management contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other...

5.4CVSS6.7AI score0.04601EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday63 views

CandidATS 3.0.0 - Cross-Site Scripting

CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.4AI score0.01071EPSS
Exploits1References5
Nuclei
Nuclei
added 2 days ago52 views

WordPress Tutor LMS <2.0.10 - Cross Site Scripting

WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the resetkey and userid parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the conte...

6.1CVSS6.4AI score0.01347EPSS
Exploits2References3
CVE
CVE
added 2 days ago9 views

CVE-2026-48588

The CVE-2026-48588 issue affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16. It arises in UpdateCacheMiddleware and the cache_page() decorator, which cache responses that vary on cookies even when the request contains unrelated cookies. This can allow remote attackers to read private data from...

3.1CVSS6AI score0.00378EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-56195

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. UpdateCacheMiddleware and the cache page decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier,...

3.1CVSS6AI score0.00378EPSS
Exploits0References5
OSV
OSV
added 2026/06/10 1:39 p.m.12 views

GHSA-8QHJ-4F8C-J8QG Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents

Summary The dashboard exposes the cron manual-trigger action as an authenticated GET /api/v1/cron/:id/manual endpoint. Dashboard JWTs are sent in the nz-jwt cookie and configured with SameSite=Lax, which browsers include on top-level cross-site GET navigations. Because this state-changing GET...

7.1CVSS5.7AI score0.00123EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/10 12:0 a.m.7 views

Origin Validation Error

Overview org.springframework.graphql:spring-graphql is a GraphQL Support for Spring Applications Affected versions of this package are vulnerable to Origin Validation Error via insufficient Origin validation for WebSocket connections. An attacker can perform Cross-Site WebSocket Hijacking CSWSH b...

8.5CVSS5.8AI score0.00182EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/06/03 4:30 p.m.17 views

CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities KEV catalog, following reports of active exploitation in the wild. The...

9.8CVSS6.9AI score0.27546EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/05/19 12:0 a.m.7 views

CVE-2026-36829

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and...

9.8CVSS5.8AI score0.01268EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/18 10:5 p.m.14 views

CVE-2026-27964

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting XSS vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie ...

3.9CVSS5.8AI score0.00104EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/04/24 3:36 p.m.4 views

Cross-site Request Forgery (CSRF)

Overview rwsdk is a Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the serverAction process. An attacker can trigger unauthorized state changes or actions by inducing an...

6CVSS5.5AI score0.00111EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/24 3:36 p.m.15 views

RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions

Summary Server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. Impact An attacker who controls any origin the browser...

5.3CVSS5.3AI score0.00111EPSS
Exploits0References4Affected Software1
CNVD
CNVD
added 2026/04/15 12:0 a.m.5 views

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2026-18678)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that is caused by improper validation of user-supplied input. An attacker could exploit the vulnerability to steal the victim's...

6.1CVSS5.7AI score0.00225EPSS
Exploits0
CNVD
CNVD
added 2026/04/15 12:0 a.m.11 views

Adobe Experience Manager Cross-Site Scripting Vulnerability (CNVD-2026-20002)

Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...

5.4CVSS5.6AI score0.00189EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.6 views

PT-2026-33011

Name of the Vulnerable Software and Affected Versions Login as User plugin for WordPress versions prior to 1.0.4 Description An issue exists where the handle return to admin function trusts a client-controlled cookie oclaup original admin to determine the user for authentication. Because there is...

8.8CVSS5.2AI score0.00399EPSS
Exploits0References8
CNVD
CNVD
added 2026/04/15 12:0 a.m.6 views

Adobe Connect Cross-Site Scripting Vulnerability (CNVD-2026-18681)

Adobe Connect is a software for creating meeting environments from the American company Audobee Adobe. Adobe Connect suffers from a cross-site scripting vulnerability that could be exploited by an attacker to steal a victim's cookie-based authentication credentials...

9.3CVSS5.6AI score0.00304EPSS
Exploits0
Rows per page
Query Builder