CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

20042 matches found

Vulnrichment•added 2025/12/17 12:0 a.m.•3 views

CVE-2025-66923

A Cross-site scripting XSS vulnerability in Create/Update Customers in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phonenumber parameter...

5.5AI score0.00465EPSS

Exploits1References2

Positive Technologies•added 2025/12/17 12:0 a.m.•4 views

PT-2025-51944

Name of the Vulnerable Software and Affected Versions projectSend version r1605 Description The software contains a stored cross-site scripting issue. Authenticated administrators can inject malicious JavaScript through the custom assets configuration page. An attacker can create a JavaScript...

5.1CVSS6.2AI score0.00257EPSS

Exploits1References6

CVE•added 2025/12/16 5:3 p.m.•6 views

CVE-2023-53898

Rukovoditel 3.4.1 is affected by a stored cross-site scripting (XSS) vulnerability. The issue allows an authenticated attacker to inject iframe and script payloads into the application copyright text, enabling arbitrary JavaScript execution in victims’ browsers. Root cause, affected component, an...

5.4CVSS6AI score0.00205EPSS

Exploits1References3Affected Software1

Vulnrichment•added 2025/12/16 5:3 p.m.•1 views

CVE-2023-53897 Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Comments

Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers...

5.4CVSS5.6AI score0.00205EPSS

Exploits1References3

Vulnrichment•added 2025/12/16 5:3 p.m.•2 views

CVE-2023-53898 Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Configuration

Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers...

5.4CVSS6AI score0.00205EPSS

Exploits1References3

EUVD•added 2025/12/16 9:31 a.m.•2 views

EUVD-2025-203540

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through = 1.8.2...

5.5AI score0.00133EPSS

Exploits0References2

NVD•added 2025/12/15 4:15 p.m.•3 views

CVE-2025-14387

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

6.4CVSS0.0022EPSS

Exploits0References2

Cvelist•added 2025/12/15 2:25 p.m.•20 views

CVE-2025-13367 User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to...

6.4CVSS0.00273EPSS

Exploits0References3

Positive Technologies•added 2025/12/15 12:0 a.m.•3 views

PT-2025-51239

6.4CVSS5AI score0.0022EPSS

Exploits0References3

CNNVD•added 2025/12/15 12:0 a.m.•1 views

Zomplog 安全漏洞

Zomplog is a web logging system from Zomplog Open Source. A security vulnerability exists in Zomplog version 3.9 that originates from allowing an authenticated user to inject malicious script when creating a new page, which could lead to a cross-site scripting attack...

5.4CVSS5.9AI score0.00205EPSS

Exploits1References5

RedhatCVE•added 2025/12/14 8:45 a.m.•7 views

CVE-2025-9856

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sgpopup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user...

6.4CVSS5AI score0.00285EPSS

Exploits0References1

RedhatCVE•added 2025/12/14 5:3 a.m.•9 views

CVE-2025-12077

The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS5.6AI score0.00204EPSS

Exploits0References1

EUVD•added 2025/12/13 6:30 p.m.•4 views

EUVD-2025-203226

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibriloop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS4.5AI score0.00199EPSS

Exploits0References3

Vulnrichment•added 2025/12/13 8:21 a.m.•1 views

CVE-2025-8780 Livemesh SiteOrigin Widgets <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Hero Header and Pricing Table Widgets

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS4.7AI score0.00192EPSS

Exploits0References4

Vulnrichment•added 2025/12/13 7:21 a.m.•3 views

CVE-2025-8779 All-in-One Addons for Elementor – WidgetKit <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team and Countdown Widgets

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS4.7AI score0.00185EPSS

Exploits0References3

Veracode•added 2025/12/13 5:4 a.m.•4 views

Cross-site Scripting (XSS)

com.liferay, com.liferay.dynamic.data.mapping.item.selector.web are vulnerable to cross-site scripting XSS. The vulnerability is due to improper input validation in user name fields First Name, Middle Name, Last Name, which allows a remote attacker to inject arbitrary web scripts or HTML via...

6.1CVSS5.8AI score0.00185EPSS

Exploits0References4Affected Software1

RedhatCVE•added 2025/12/13 3:59 a.m.•4 views

CVE-2025-14137

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS5.6AI score0.00211EPSS

Exploits0References1

RedhatCVE•added 2025/12/13 3:59 a.m.•4 views

CVE-2025-14119

The App Landing Template Blocks for WPBakery Visual Composer Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvcvideoplay' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS4.9AI score0.00181EPSS

Exploits0References1

RedhatCVE•added 2025/12/13 3:59 a.m.•2 views

CVE-2025-13963

The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxccconvert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5AI score0.00188EPSS

Exploits0References1

RedhatCVE•added 2025/12/13 3:59 a.m.•2 views

CVE-2025-13988

The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable in the plugin's settings page. This mak...

6.1CVSS5.7AI score0.00204EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by