CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/06/05 12:0 a.m.•5 views

HAXCMS 跨站脚本漏洞

HAXCMS is an open-source content management system developed by HAX The Web. Versions of HAXCMS prior to 26.0.0 had a cross-site scripting vulnerability. This vulnerability stemmed from improper cleaning of iframe elements, which could allow attackers to execute arbitrary JavaScript in the victim...

9.3CVSS5.5AI score0.0023EPSS

Exploits0References2

NVD•added 2026/05/29 2:16 p.m.•17 views

CVE-2026-44698

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and...

8.3CVSS0.00114EPSS

Cvelist•added 2026/05/29 1:32 p.m.•34 views

CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

8.3CVSS0.00114EPSS

Vulnrichment•added 2026/05/29 1:32 p.m.•16 views

CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

EUVD•added 2026/05/29 1:32 p.m.•10 views

EUVD-2026-33317

ATTACKERKB•added 2026/05/29 1:32 p.m.•6 views

CVE-2026-44698

Exploits0References2Affected Software3

CVE•added 2026/05/29 1:32 p.m.•37 views

CVE-2026-44698

CVE-2026-44698 affects the Home Assistant Companion apps for Android and iOS, where a JavaScript bridge exposed to in-app WebView could be reached by all frames. The root cause is the bridge exposure along with unsanitized interpolation of the JavaScript callback identifier, allowing a cross-orig...

Snyk•added 2026/05/27 9:41 a.m.•10 views

Cross-site Scripting (XSS)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Cross-site Scripting XSS via HtmlSanitizer due to improper sanitization of URL attributes on object, applet, iframe, img and meta refresh. By...

6.1CVSS5.6AI score0.00051EPSS

Exploits0References2

NVD•added 2026/05/27 7:16 a.m.•13 views

CVE-2026-8877

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

6.4CVSS0.00235EPSS

NVD•added 2026/05/27 7:16 a.m.•9 views

CVE-2026-8891

The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...

6.4CVSS0.00193EPSS

NVD•added 2026/05/27 7:16 a.m.•15 views

CVE-2026-8837

The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS0.00187EPSS

NVD•added 2026/05/27 7:16 a.m.•16 views

CVE-2026-8844

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

6.4CVSS0.00204EPSS

NVD•added 2026/05/27 7:16 a.m.•7 views

CVE-2026-8698

The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the asgetcoinshortcode function, which renders the 'width' and 'height' shortcode attribute directly into the style attribut...

6.4CVSS0.00187EPSS

Cvelist•added 2026/05/27 5:31 a.m.•29 views

CVE-2026-8844 Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00204EPSS

ATTACKERKB•added 2026/05/27 5:31 a.m.•9 views

CVE-2026-8847

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

6AI score0.00198EPSS

ATTACKERKB•added 2026/05/27 5:31 a.m.•8 views

CVE-2026-8844

6AI score0.00204EPSS

Exploits0References5

CVE•added 2026/05/27 5:31 a.m.•19 views

CVE-2026-8847

The CVE-2026-8847 entry concerns the WordPress Dideo plugin (version 1.0) with a Stored XSS flaw in the dideo shortcode. The root cause is insufficient input sanitization and output escaping on the id attribute, which is inserted into an iframe src without escaping in the dideo() handler. Attacke...

6.4CVSS6AI score0.00198EPSS

EUVD•added 2026/05/27 5:31 a.m.•9 views

EUVD-2026-32089

6.4CVSS6AI score0.00198EPSS

EUVD•added 2026/05/27 5:31 a.m.•7 views

EUVD-2026-32081

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...

6.4CVSS6AI score0.00187EPSS