CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Patchstack•added 2026/03/23 7:13 p.m.•5 views

WordPress Easy Image Gallery plugin <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery SHORTCODE Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Gallery SHORTCODE Post Meta vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Easy Image Gallery versions = 1.5.3...

6.4CVSS5.9AI score0.00043EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/03/23 6:38 p.m.•4 views

WordPress ElementCamp plugin <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter vulnerability

Authenticated Author+ SQL Injection via 'metaquerycompare' Parameter vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin ElementCamp versions = 2.3.6...

6.5CVSS5.9AI score0.00041EPSS

Exploits0References1Affected Software1

EUVD•added 2026/03/21 6:30 a.m.•4 views

EUVD-2026-14159

The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'onexpiredefaulttorole' meta through the 'saveextrauserprofilefields' function. This makes it possible for authenticated...

8.8CVSS5.8AI score0.00058EPSS

Exploits0References3

ATTACKERKB•added 2026/03/21 3:27 a.m.•1 views

CVE-2026-4261

8.8CVSS5.8AI score0.00058EPSS

Exploits0References3

Vulnrichment•added 2026/03/21 3:27 a.m.•0 views

CVE-2026-2503 ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'metaquerycompare' parameter in the 'tcgselect2searchpost' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query...

Cvelist•added 2026/03/21 3:27 a.m.•29 views

CVE-2026-2503 ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter

6.5CVSS0.00041EPSS

ATTACKERKB•added 2026/03/21 3:27 a.m.•1 views

CVE-2026-2503

CVE•added 2026/03/21 3:27 a.m.•7 views

Exploits0References6

CVE-2026-2503

CVE-2026-2503 describes a time-based SQL Injection in the ElementCamp WordPress plugin through the meta_query[compare] parameter used by the tcg_select2_search_post AJAX action, affecting all versions up to 2.3.6. The vulnerability arises because the user-supplied compare value is used as an SQL ...

EUVD•added 2026/03/21 12:31 a.m.•4 views

EUVD-2026-13838

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aopostpreload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the aometaboxsave function and missing output escaping when the value is rendered in...

6.4CVSS6AI score0.00024EPSS

Exploits0References9

OSV•added 2026/03/21 12:16 a.m.•5 views

CVE-2026-2352

6.4CVSS6AI score

Exploits0References8

Positive Technologies•added 2026/03/21 12:0 a.m.•3 views

PT-2026-26841

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta querycompare' parameter in the 'tcg select2 search post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the quer...

Cvelist•added 2026/03/20 11:25 p.m.•29 views

Exploits0References6

CVE-2026-2352 Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value

6.4CVSS0.00024EPSS

Exploits0References8

Wired Threat Level•added 2026/03/20 10:0 a.m.•4 views

The Danger Behind Meta Killing End-to-End Encryption for Instagram DMs

Meta blamed users for not opting into the privacy-protecting feature. Experts fear the move could be the first major domino to fall for end-to-end encryption tech worldwide...

5.8AI score

Wired Threat Level•added 2026/03/19 2:9 p.m.•3 views

Signal’s Creator Is Helping Encrypt Meta AI

Moxie Marlinspike says the technology powering his encrypted AI chatbot, Confer, will be integrated into Meta AI. The move could help protect the AI conversations of millions of people...

5.8AI score

ATTACKERKB•added 2026/03/19 6:46 a.m.•2 views

CVE-2026-4006

The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayname' post meta Custom Field in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is...

6.4CVSS6AI score0.00017EPSS

Exploits0References7

Amazon•added 2026/03/19 12:0 a.m.•6 views

Medium: golang

Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...

7.5CVSS5.8AI score0.00044EPSS

Amazon•added 2026/03/19 12:0 a.m.•7 views

Medium: golist

7.5CVSS5.8AI score0.00044EPSS

Tenable Nessus•added 2026/03/19 12:0 a.m.•3 views

Amazon Linux 2 : golist, --advisory ALAS2-2026-3202 (ALAS-2026-3202)

The version of golist installed on the remote host is prior to 0.10.1-10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3202 advisory. url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix...

7.5CVSS7.5AI score0.00044EPSS

Exploits0References8

NVD•added 2026/03/18 4:16 p.m.•0 views

CVE-2026-2512

The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function seccheckpostfields only running on the savepost hook, while WordPress allows custom fields t...

6.4CVSS0.00048EPSS