CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 3 days ago•4 views

CVE-2026-40565

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

6.1CVSS5.6AI score0.00035EPSS

Vulnrichment•added 4 days ago•5 views

CVE-2026-11166

Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Medium...

5.6AI score0.00029EPSS

Vulnrichment•added 5 days ago•6 views

CVE-2026-10729 HTML injection in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens

An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting XSS in emails clients that render HTML emails. This issue affects Canarytokens: fr...

2.1CVSS5.8AI score0.00047EPSS

EUVD•added 5 days ago•7 views

EUVD-2026-34085

2.1CVSS5.8AI score0.00047EPSS

OSV•added 2026/05/26 9:16 p.m.•3 views

UBUNTU-CVE-2026-44898

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, rendertocul builds a table-of-contents tree from a list of level, id, text tuples. Both the id value used as href="" and the text value used as the visible link label are inserted into tags via a plain Python format...

6.1CVSS5.9AI score0.00031EPSS

Exploits1References4

UbuntuCve•added 2026/05/22 11:16 p.m.•7 views

CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state...

5.3CVSS5.6AI score0.00059EPSS

Exploits0References4

EUVD•added 2026/05/22 10:34 p.m.•6 views

EUVD-2026-31520

5.3CVSS5.6AI score0.00059EPSS

ATTACKERKB•added 2026/05/22 10:34 p.m.•9 views

CVE-2026-41149

5.3CVSS5.8AI score0.00059EPSS

Exploits0References4Affected Software1

EUVD•added 2026/05/22 7:32 p.m.•6 views

EUVD-2026-31494

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page retrieved from the request's Referer header allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode...

6.9CVSS5.3AI score0.00059EPSS

CNNVD•added 2026/05/22 12:0 a.m.•4 views

Mermaid 安全漏洞

Mermaid is an open-source application developed by mermaid-js. It uses text and code to create charts and visualizations. Mermaid versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, have security vulnerabilities. These vulnerabilities stem from HTML injection under default...

5.3CVSS5.9AI score0.00059EPSS

Github Security Blog•added 2026/05/21 8:43 p.m.•11 views

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. Patches This issue has been patched in 17.4.0...

5.7AI score

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/20 6:51 p.m.•6 views

CVE-2026-26028 CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS

CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and elements, leaving all other...

6.1CVSS5.9AI score0.00031EPSS

NVD•added 2026/05/19 10:16 p.m.•12 views

CVE-2026-5090

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The htmlfilter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in would not be properly escaped. An attacke...

6.1CVSS0.0001EPSS

NVD•added 2026/05/19 2:16 p.m.•7 views

CVE-2025-40903

A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected...

5.9CVSS0.00029EPSS

NVD•added 2026/05/19 2:16 p.m.•7 views

CVE-2025-40902

A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing...

5.9CVSS0.00029EPSS

ATTACKERKB•added 2026/05/19 1:23 p.m.•3 views

CVE-2025-40904

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remo...

6.5CVSS5.8AI score0.0003EPSS

Positive Technologies•added 2026/05/19 12:0 a.m.•7 views

PT-2026-41891

6.5CVSS5.8AI score0.0003EPSS

Positive Technologies•added 2026/05/19 12:0 a.m.•6 views

PT-2026-41888

A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected...

5.9CVSS5.8AI score0.00029EPSS