CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/14 12:0 a.m.•8 views

PT-2026-40882

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt bb button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS6AI score0.00032EPSS

Exploits0References3

Positive Technologies•added 2026/05/14 12:0 a.m.•6 views

PT-2026-41068

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 148.0.7778.168 Description Script injection in the SanitizerAPI allows a remote attacker to inject arbitrary scripts or HTML, leading to Universal Cross-Site Scripting UXSS, which is a vulnerability...

8.8CVSS6.1AI score0.00148EPSS

Exploits0References83

CNNVD•added 2026/05/14 12:0 a.m.•7 views

WordPress plugin Envira Gallery Lite 跨站脚本漏洞

6.4CVSS5.8AI score0.00016EPSS

EUVD•added 2026/05/13 9:32 p.m.•4 views

EUVD-2026-30186

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

8.5CVSS6AI score0.00052EPSS

RedhatCVE•added 2026/05/13 8:23 p.m.•7 views

CVE-2026-2300

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterimages function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing pregreplace that does not properly handle HTML attribute boundaries when replacing sr...

6.4CVSS6AI score0.00036EPSS

CVE•added 2026/05/13 2:22 p.m.•10 views

CVE-2020-37222

Kuicms Php EE 2.0 is affected by a persistent cross-site scripting (XSS) vulnerability. The issue allows unauthenticated attackers to inject arbitrary scripts by submitting crafted content through the bbs reply endpoint (POST to /web/?c=bbs&a=reply) with HTML/JavaScript payloads in the content pa...

7.2CVSS5.9AI score0.001EPSS

Exploits0References4

Positive Technologies•added 2026/05/13 12:0 a.m.•7 views

PT-2026-40623

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in t...

7.2CVSS5.9AI score0.001EPSS

Exploits0References5

EUVD•added 2026/05/12 12:32 p.m.•19 views

EUVD-2026-29426

Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a...

NVD•added 2026/05/12 10:16 a.m.•7 views

CVE-2026-25786

9.3CVSS0.00057EPSS

EUVD•added 2026/05/12 9:31 a.m.•7 views

EUVD-2026-29410

The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6AI score0.00021EPSS

Exploits0References4

NVD•added 2026/05/12 9:16 a.m.•8 views

CVE-2026-5715

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

6.4CVSS0.00032EPSS

Exploits0References3

Vulnrichment•added 2026/05/12 8:21 a.m.•4 views

CVE-2026-25787

Affected devices do not properly validate and sanitize Technology Object TO name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the...

Cvelist•added 2026/05/12 8:21 a.m.•33 views

CVE-2026-25787

9.3CVSS0.00057EPSS

ATTACKERKB•added 2026/05/12 8:21 a.m.•5 views

CVE-2026-25787

CVE•added 2026/05/12 8:21 a.m.•13 views

CVE-2026-25787

CVE-2026-25787 affects Siemens devices with a web interface where the Technology Object (TO) name on the Motion Control Diagnostics page is not properly validated/sanitized. An authenticated user who is authorized to download a TIA project could inject malicious scripts into the page, and if anot...

Cvelist•added 2026/05/12 8:20 a.m.•33 views

CVE-2026-25786

9.3CVSS0.00057EPSS

ATTACKERKB•added 2026/05/12 8:20 a.m.•2 views

CVE-2026-25786

CVE•added 2026/05/12 8:20 a.m.•14 views

CVE-2026-25786

CVE-2026-25786 affects devices where the web interface’s communication parameters page renders a PLC/station name. The root cause is inadequate validation/sanitization of the name, enabling an authenticated user (who is allowed to download a TIA project) to inject malicious scripts into the page....