Lucene search
K

28020 matches found

Cvelist
Cvelist
added 2026/06/12 1:28 a.m.28 views

CVE-2026-9125 The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkurl' parameter of the prestoplayeroverlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which copies...

6.4CVSS0.00239EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.24 views

PT-2026-48818

The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link url' parameter of the presto player overlay shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays function, which...

6.4CVSS5.7AI score0.00239EPSS
Exploits0References11
Patchstack
Patchstack
added 2026/06/11 12:49 p.m.7 views

WordPress Presto Player plugin <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Presto Player versions = 4.2.0...

6.4CVSS5.4AI score0.00239EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/06/09 12:22 p.m.10 views

WordPress FV Flowplayer Video Player plugin <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin FV Flowplayer Video Player versions = 7.5.49.7212...

7.2CVSS5.4AI score0.00241EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.11 views

CVE-2026-45442

Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3...

4.3CVSS5.4AI score0.00238EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.10 views

CVE-2026-47114

IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that pass...

8.8CVSS6.2AI score0.00702EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.9 views

CVE-2026-49128

Music Player Daemon MPD before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without...

8.7CVSS5.6AI score0.00501EPSS
Exploits0References1
NVD
NVD
added 2026/06/05 7:16 p.m.13 views

CVE-2026-46496

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

9.3CVSS0.0023EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/05 6:46 p.m.12 views

EUVD-2026-34892

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

9.3CVSS5.5AI score0.0023EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/05 6:46 p.m.7 views

CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

9.3CVSS5.5AI score0.0023EPSS
Exploits0References1
CVE
CVE
added 2026/06/05 6:46 p.m.21 views

CVE-2026-46496

HAX CMS is affected by a stored XSS in the component. Versions prior to 26.0.0 fail to sanitize input in the source/source-data attributes, allowing javascript: URIs that execute attacker-controlled JavaScript in victims’ browsers. This can lead to token exposure (e.g., JWTs) and other sensitive...

9.3CVSS5.5AI score0.0023EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/05 6:46 p.m.40 views

CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

9.3CVSS0.0023EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/05 1:24 p.m.42 views

CVE-2026-50231 Lyrion Music Server 9.2.0 Unauthenticated Stored XSS via server.log

Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in the log viewer that allows attackers to inject malicious scripts by exploiting unescaped template variables. Attackers can inject XSS payloads through search, lines, and path query parameters or by...

7.2CVSS0.00183EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.8 views

HAXCMS 安全漏洞

HAXCMS is an open-source content management system developed by HAX The Web. Versions of HAXCMS prior to 26.0.0 contained security vulnerabilities. These vulnerabilities stemmed from improper cleaning of the video-player component, which could allow attackers to execute arbitrary JavaScript in th...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/06/04 12:54 p.m.9 views

WordPress FV Flowplayer Video Player plugin < 7.5.51.7212 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Jakub Herman in WordPress Plugin FV Flowplayer Video Player versions 7.5.51.7212...

6.5CVSS5.5AI score0.00166EPSS
Exploits0Affected Software1
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.12 views

SUSE CVE-2026-49127

Music Player Daemon MPD before version 0.24.11 contains a stack buffer overflow vulnerability in the pcmunpack24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD...

8.8CVSS6.1AI score0.0051EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.14 views

SUSE CVE-2026-49128

Music Player Daemon MPD before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without...

8.7CVSS5.9AI score0.00501EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.11 views

SUSE CVE-2026-49129

Music Player Daemon MPD before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPTFOLLOWLOCATION is set without CURLOPTREDIRPROTOCOLSSTR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP...

6.9CVSS5.8AI score0.00281EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/30 1:59 a.m.10 views

SUSE CVE-2026-49130

Music Player Daemon MPD before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references...

6.9CVSS5.8AI score0.0026EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.9 views

CVE-2026-49130

Music Player Daemon MPD before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references...

6.9CVSS5.8AI score0.0026EPSS
Exploits0References1
Rows per page
Query Builder