CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 6 days ago•10 views

EUVD-2026-37846

4.9CVSS5.8AI score0.00363EPSS

Cvelist•added 6 days ago•24 views

CVE-2026-10736 Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter

4.9CVSS0.00363EPSS

CVE•added 6 days ago•14 views

CVE-2026-10736

CVE-2026-10736 affects the WordPress plugin Tutor LMS (eLearning and online course solution). All versions up to and including 3.9.11 are vulnerable to a generic SQL Injection via the 'data' parameter due to insufficient escaping and inadequate preparation of the SQL query. This can let an authen...

4.9CVSS5.9AI score0.00363EPSS

Cvelist•added 2026/06/12 8:30 p.m.•32 views

CVE-2026-12129 CodeAstro Human Resource Management System Dashboard add_tod cross site scripting

A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/addtod of the component Dashboard Interface. The manipulation of the argument tododata leads to cross site scripting. The attack may be...

5.1CVSS0.00203EPSS

Exploits0References6

NVD•added 2026/05/15 1:16 p.m.•27 views

CVE-2026-41553

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed...

10CVSS0.00648EPSS

Cvelist•added 2026/05/15 12:31 p.m.•48 views

CVE-2026-41553 Remote Code Execution in PDF Export Module

10CVSS0.00648EPSS

Vulnrichment•added 2026/05/15 12:31 p.m.•15 views

CVE-2026-41553 Remote Code Execution in PDF Export Module

ATTACKERKB•added 2026/05/15 12:31 p.m.•6 views

CVE-2026-41553

Exploits0References3Affected Software1

CVE•added 2026/05/15 12:31 p.m.•22 views

CVE-2026-41553

CVE-2026-41553 affects the PDF Export Module used in DHTMLX Gantt and Scheduler. The vulnerability arises from lack of sanitization in the data parameter, allowing an unauthenticated attacker to inject malicious JavaScript that is processed by Node.js and executed, leading to potential server com...

Exploits0References2Affected Software1

CNNVD•added 2026/05/15 12:0 a.m.•8 views

DHTMLX Gantt 操作系统命令注入漏洞

DHTMLX Gantt is a JavaScript Gantt chart component developed by DHTMLX Corporation. It supports project planning, task scheduling, and timeline visualization. Prior to version 0.7.6, DHTMLX Gantt had an operating system command injection vulnerability. This vulnerability stemmed from a lack of da...

10CVSS5.9AI score0.00648EPSS

Exploits0References1

Positive Technologies•added 2026/05/15 12:0 a.m.•13 views

PT-2026-41296

AstraLinux•added 2026/05/03 11:59 p.m.•6 views

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fixed a kernel panic that occurs when the host sends an invalid H2C PDU length. If the host sends an H2CData command with an invalid DATAL value, the kernel may crash in the nvmettcpbuildpduiovec function. The...

5.5CVSS5.7AI score0.00228EPSS

CNNVD•added 2026/05/01 12:0 a.m.•8 views

Mix PHP SQL注入漏洞

Mix PHP is Mix PHP open source a PHP command-line mode development framework , support for multi-server ecological seamless switching . A SQL injection vulnerability exists in Mix PHP versions 2.x through 2.2.17 and earlier, which stems from improper manipulation of the data array parameter of th...

6.5CVSS5.8AI score0.00201EPSS

Exploits0References1

Cvelist•added 2026/04/04 8:25 a.m.•19 views

CVE-2026-5425 Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feeddata' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

7.2CVSS0.00233EPSS

CVE•added 2026/04/04 8:25 a.m.•17 views

CVE-2026-5425

The CVE-2026-5425 entry concerns the WordPress Widgets for Social Photo Feed plugin. A stored XSS vulnerability exists in all versions up to 1.7.9, caused by insufficient input sanitization and output escaping in the feed_data parameter keys. Impact: unauthenticated attackers can inject arbitrary...

7.2CVSS6.1AI score0.00233EPSS

CNNVD•added 2026/04/04 12:0 a.m.•9 views

WordPress plugin Widgets for Social Photo Feed 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

7.2CVSS5.6AI score0.00233EPSS

Positive Technologies•added 2026/03/26 12:0 a.m.•20 views

PT-2026-28213

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update responsive woo free shipping left shortcode AJAX action that does not properly validate the content rech data parameter before...

6.2AI score0.00323EPSS