CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

15775 matches found

CNNVD•added 2026/04/07 12:0 a.m.•4 views

Papra 安全漏洞

Papra is an open-source document management and archiving platform developed by Papra itself. Versions of Papra prior to 26.4.0 contained security vulnerabilities. These vulnerabilities stemmed from transactional email templates that directly inserted user.name into HTML without escaping or...

5.4CVSS5.8AI score0.00192EPSS

Exploits1References1

Vulnrichment•added 2026/04/06 8:6 p.m.•3 views

CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

5.3CVSS6AI score0.00299EPSS

Exploits1References3

Cvelist•added 2026/04/06 8:6 p.m.•15 views

CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer

5.3CVSS0.00299EPSS

Exploits1References3

ATTACKERKB•added 2026/04/06 8:6 p.m.•7 views

CVE-2026-35208

5.3CVSS6AI score0.00299EPSS

Exploits1References4

CVE•added 2026/04/06 8:6 p.m.•14 views

CVE-2026-35208

CVE-2026-35208 affects lichess.org: an Unsanitized Stream Title Injection occurs in the streamer workflow where approved streamers can inject HTML into the /streamer page and the Live streams widget by providing a title, which is rendered in the UI as-is. CSP blocks inline scripts, but the vulner...

5.4CVSS6AI score0.00299EPSS

Exploits1References3Affected Software1

NVD•added 2026/04/06 4:16 p.m.•10 views

CVE-2026-33405

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

4.8CVSS0.00171EPSS

Exploits0References1

CVE•added 2026/04/06 3:23 p.m.•13 views

CVE-2026-33405

Pi-hole Admin Interface (Pi-hole) versions 6.0–6.5 are affected by a stored HTML injection in the formatInfo() function of queries.js, which renders data.upstream, data.client.ip, and data.ede.text without escaping when expanding a Query Log row. The vulnerability could allow HTML injection despi...

4.8CVSS6AI score0.00171EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/04/06 3:23 p.m.•24 views

CVE-2026-33405 Pi-hole has a Stored HTML Injection in queries.js

3.1CVSS0.00171EPSS

Exploits0References1

Vulnrichment•added 2026/04/06 3:23 p.m.•2 views

CVE-2026-33405 Pi-hole has a Stored HTML Injection in queries.js

3.1CVSS6AI score0.00171EPSS

Exploits0References1

EUVD•added 2026/04/06 3:23 p.m.•3 views

EUVD-2026-19283

3.1CVSS6AI score0.00171EPSS

Exploits0References1

CVE•added 2026/04/06 2:48 p.m.•6 views

CVE-2026-33404

Pi-hole Admin Interface (Pi-hole) up to version 6.5 is affected by a stored XSS in the Network page and Dashboard tooltips due to unescaped DOM rendering of client hostnames and IPs from the FTL database in network.js and charts.js/index.js. The issue occurs for 6.0 through before 6.5, when user-...

6.1CVSS5.9AI score0.00145EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/04/06 2:48 p.m.•3 views

CVE-2026-33403 Pi-hole has a Reflected XSS / HTML injection in taillog.js

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface...

6.1CVSS6AI score0.00187EPSS

Exploits0References1

CVE•added 2026/04/06 2:48 p.m.•8 views

CVE-2026-33403

CVE-2026-33403 concerns Pi-hole Admin Interface. A reflected DOM-based XSS in taillog.js from 6.0 up to before 6.5 allows an unauthenticated attacker to inject arbitrary HTML via a crafted URL, since the query parameter is interpolated into innerHTML without escaping. The vulnerability is aggrava...

6.1CVSS6AI score0.00187EPSS

Exploits0References1Affected Software1

Positive Technologies•added 2026/04/06 12:0 a.m.•3 views

PT-2026-30654

3.1CVSS6AI score0.00171EPSS

Exploits0References2

Positive Technologies•added 2026/04/06 12:0 a.m.•3 views

PT-2026-30628

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js,...

5.4CVSS6AI score0.00254EPSS

Exploits1References2

CNNVD•added 2026/04/06 12:0 a.m.•3 views

Pi-hole Web Interface 跨站脚本漏洞

The Pi-hole Web Interface is an open-source dashboard web interface developed by Pi-hole. Versions of the Pi-hole Web Interface from 6.0 to 6.5 had a cross-site scripting vulnerability. This vulnerability stemmed from the formatInfo function in queries.js, which failed to escape special character...

4.8CVSS5.7AI score0.00171EPSS

Exploits0References1

Positive Technologies•added 2026/04/06 12:0 a.m.•17 views

PT-2026-30726

5.3CVSS6AI score0.00299EPSS

Exploits1References4

EUVD•added 2026/04/03 3:47 p.m.•3 views

EUVD-2026-18797

Budibase is an open-source low-code platform. Prior to version 3.32.5, Budibase's Builder Command Palette renders entity names tables, views, queries, automations using Svelte's @html directive without any sanitization. An authenticated user with Builder access can create a table, automation, vie...

8.7CVSS5.8AI score0.0033EPSS

Exploits1References4