CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

6223 matches found

Positive Technologies•added 2026/04/22 12:0 a.m.•2 views

PT-2026-34283

Name of the Vulnerable Software and Affected Versions Twittee Text Tweet versions prior to 1.0.9 Description Insufficient input sanitization and output escaping in the ttt twittee tweeter function allow authenticated attackers with Contributor-level access and above to inject arbitrary web script...

6.4CVSS5.9AI score0.00014EPSS

Exploits0References8

Positive Technologies•added 2026/04/22 12:0 a.m.•1 views

PT-2026-34278

Name of the Vulnerable Software and Affected Versions Quran Live Multilanguage plugin for WordPress versions prior to 1.0.4 Description Stored Cross-Site Scripting is possible due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran live render...

6.4CVSS6AI score0.0002EPSS

Exploits0References16

Positive Technologies•added 2026/04/21 12:0 a.m.•0 views

PT-2026-34208

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description An incomplete fix for cross-site scripting in the ParsedownSafeWithLinks class allows the use of javascript: URLs in markdown link syntax to bypass sanitization. This occurs because the...

5.4CVSS5.6AI score0.00043EPSS

Exploits1References8

CNNVD•added 2026/04/21 12:0 a.m.•4 views

Docmost 跨站脚本漏洞

Docmost is an open-source collaborative wiki and documentation software developed by Docmost. Versions of Docmost prior to 0.80.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the possibility of including JavaScript URIs as links when posting comments on pages...

5.4CVSS5.7AI score0.00035EPSS

Exploits0References1

EUVD•added 2026/04/19 6:31 a.m.•1 views

EUVD-2026-23681

The EMC – Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.9AI score0.00012EPSS

Exploits0References3

ATTACKERKB•added 2026/04/18 9:26 a.m.•2 views

CVE-2026-2505

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'ztaxonomyimage' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates...

5.4CVSS5.9AI score0.00011EPSS

Exploits0References3

Cvelist•added 2026/04/17 8:3 p.m.•15 views

CVE-2026-40283 WeGIA has stored XSS in profile_paciente.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patien...

6.8CVSS0.00036EPSS

Exploits1References1

Cvelist•added 2026/04/16 2:10 p.m.•30 views

CVE-2026-2840 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eebmailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00037EPSS

Exploits0References3

Patchstack•added 2026/04/16 10:31 a.m.•2 views

WordPress Product Pricing Table by WooBeWoo plugin <= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion vulnerability

Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Product Pricing Table by WooBeWoo versions = 1.1.0...

6.1CVSS5.8AI score0.00006EPSS

Exploits0References1Affected Software1

NVD•added 2026/04/16 7:16 a.m.•1 views

CVE-2025-13364

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'putwpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on...

6.4CVSS0.00012EPSS

Exploits0References2

ATTACKERKB•added 2026/04/16 6:44 a.m.•3 views

CVE-2026-3875

The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocsfeedbackform' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible...

6.4CVSS5.9AI score0.00012EPSS

Exploits0References3

Vulnrichment•added 2026/04/16 5:29 a.m.•1 views

CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

4.4CVSS5.9AI score0.00029EPSS

Exploits0References17

ATTACKERKB•added 2026/04/16 5:29 a.m.•1 views

CVE-2026-3551

4.4CVSS5.9AI score0.00029EPSS

Exploits0References18

Github Security Blog•added 2026/04/16 1:37 a.m.•4 views

wger has Stored XSS via Unescaped License Attribution Fields

Stored XSS via Unescaped License Attribution Fields Summary The AbstractLicenseModel.attributionlink property in wger/utils/models.py constructs HTML strings by directly interpolating user-controlled fields licenseauthor, licensetitle, licenseobjecturl, licenseauthorurl, licensederivativesourceur...

5.4CVSS6AI score0.00014EPSS

Exploits1References4Affected Software1

Positive Technologies•added 2026/04/16 12:0 a.m.•0 views

PT-2026-33246

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su box' shortcode in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS5.9AI score0.00012EPSS

Exploits0References2

Vulnrichment•added 2026/04/15 4:11 p.m.•0 views

CVE-2026-20059 Cisco Unity Connection Reflected Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate...

6.1CVSS6.1AI score0.00047EPSS

Exploits0References1

Patchstack•added 2026/04/15 1:23 p.m.•2 views

WordPress Quick Interest Slider plugin <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Chawabhon Netisingha JNX03 in WordPress Plugin Quick Interest Slider versions = 3.1.5...

7.2CVSS5.8AI score0.00117EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/04/15 8:28 a.m.•1 views

CVE-2026-3659 WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the circliful shortcode and via multiple shortcode attributes of the circlifuldirect shortcode in all versions up to and including 1.2. This is due to insufficient input...

6.4CVSS5.9AI score0.00073EPSS

Exploits0References9

Positive Technologies•added 2026/04/15 12:0 a.m.•2 views

PT-2026-33026

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the pc shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the ...

6.4CVSS6AI score0.00042EPSS

Exploits0References7

Cvelist•added 2026/04/14 2:15 p.m.•22 views

CVE-2026-4914

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required...

5.4CVSS0.00081EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by