CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/17 12:11 p.m.•3 views

CVE-2018-25331

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the currentpage parameter sent to the ajax.php endpoint, which...

6.1CVSS5.9AI score0.00095EPSS

Exploits0References4Affected Software1

OSSF Malicious Packages•added 2026/05/16 4:58 p.m.•9 views

Malicious code in netping (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ecc862a2bc12e6779034a99abd68c5d4ffb047f1fc2ae94407dd9e4ad54df5cf The package silently downloads and installs an autostart script that then monitors clipboards and replaces copied cryptowallet adresses. --- Category: MALICIOU...

5.8AI score

Vulnrichment•added 2026/05/16 3:26 p.m.•7 views

CVE-2021-47955 CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which...

5.4CVSS5.9AI score0.00029EPSS

NVD•added 2026/05/15 10:16 p.m.•9 views

CVE-2026-45315

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHEDIR/audio/transcriptions/.. The /cache/path route serve...

8.7CVSS0.00006EPSS

NVD•added 2026/05/15 10:16 p.m.•8 views

CVE-2026-45314

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS0.0001EPSS

EUVD•added 2026/05/15 9:31 p.m.•5 views

EUVD-2026-30662

7.4CVSS6AI score0.0001EPSS

ATTACKERKB•added 2026/05/15 9:31 p.m.•5 views

CVE-2026-45314

7.4CVSS6AI score0.0001EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/05/15 9:26 p.m.•7 views

CVE-2026-45315 Open WebUI: Stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions

8.7CVSS5.8AI score0.00006EPSS

ATTACKERKB•added 2026/05/15 9:21 p.m.•5 views

CVE-2026-45303

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.5, through the HTML rendering view, scripts can be injected and executed. The frontend provides a function to visualize the HTML content of a current chat. The content is embedded in an...

7.7CVSS5.9AI score0.00036EPSS

Exploits1References2Affected Software1

CVE•added 2026/05/15 6:36 p.m.•9 views

CVE-2026-46361

CVE-2026-46361 affects phpMyFAQ prior to 4.1.2. A stored XSS in the search.twig template renders result.question and result.answerPreview with the raw filter, bypassing autoescape. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass html_entity_decode(strip_ta...

8.2CVSS5.8AI score0.00011EPSS

Exploits0References2

NVD•added 2026/05/15 5:16 p.m.•7 views

CVE-2026-44714

The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj...

7.5CVSS0.00011EPSS

EUVD•added 2026/05/15 4:51 p.m.•4 views

EUVD-2026-30571

7.5CVSS5.9AI score0.00011EPSS

NVD•added 2026/05/15 6:16 a.m.•5 views

CVE-2026-24662

Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a file containing malicious contents is uploaded, an arbitrary script may be executed on a user's web browser when viewing the administration page showing the informati...

5.4CVSS0.00032EPSS

CVE•added 2026/05/15 5:38 a.m.•11 views

CVE-2026-24662

The CVE-2026-24662 entry describes a cross-site scripting vulnerability in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1, affecting rev2203.0 and earlier. When a file containing malicious contents is uploaded, an arbitrary script may execute in a user’s browser when an administrator v...

5.4CVSS5.8AI score0.00032EPSS

Snyk•added 2026/05/14 8:21 p.m.•2 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS through the @html svg rendering path in the SVGPanZoom.svelte common component. An attacker can execute an arbitrary script in the browser by supplying a crafted SVG payload that is...

5.4CVSS5.8AI score0.0003EPSS

Exploits1References2

Snyk•added 2026/05/14 6:27 p.m.•5 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image widget's link URL field and having it rendered on the page. This affects...

5.4CVSS6.1AI score

OSV•added 2026/05/14 4:53 p.m.•0 views

MAL-2026-3741 Malicious code in pyexecutorsme (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 326ad16be9056f6cbd75fa4f9a47dec8c3613b56aa53d3e5d439efeef7c6fcad Package attempts to download and execute a script acting as remote access trojan. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

6AI score