CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/29 5:18 p.m.•7 views

EUVD-2026-33376

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via docName path traversal and XSS by combining a payload note type: code, mime:...

9.3CVSS5.8AI score0.00029EPSS

Cvelist•added 2026/05/29 5:8 p.m.•34 views

CVE-2026-45627 Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS0.00035EPSS

Vulnrichment•added 2026/05/29 5:8 p.m.•11 views

CVE-2026-45627 Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover

8.2CVSS5.8AI score0.00035EPSS

CVE•added 2026/05/29 5:8 p.m.•11 views

CVE-2026-45627

CVE-2026-45627 describes an unauthenticated reflected XSS in Arcane via the GET /api/app-images/logo endpoint, where a user-supplied color parameter is injected into an SVG block without escaping. The resulting SVG is served as image/svg+xml with no CSP or X-Content-Type-Options headers, enablin...

8.2CVSS5.8AI score0.00035EPSS

EUVD•added 2026/05/29 4:41 p.m.•8 views

EUVD-2026-33363

A stored cross-site scripting XSS vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators o...

8.4CVSS5.7AI score0.00039EPSS

ATTACKERKB•added 2026/05/29 4:41 p.m.•10 views

CVE-2026-6824

8.4CVSS5.7AI score0.00039EPSS

Exploits0References4Affected Software3

Cvelist•added 2026/05/29 4:41 p.m.•27 views

CVE-2026-6824 CP Plus 8 Ch. Network Video Recorder Cross-site Scripting

8.4CVSS0.00039EPSS

CVE•added 2026/05/29 4:41 p.m.•10 views

CVE-2026-6824

CVE-2026-6824 concerns a stored Cross-Site Scripting (XSS) in certain 1xxx-series CP Plus NVRs (8-channel). The vulnerability stems from insufficient sanitization of user-supplied input in specific modules, allowing attackers to persistently inject scripts on the device backend. When an authentic...

8.4CVSS5.7AI score0.00039EPSS

NVD•added 2026/05/29 4:16 p.m.•9 views

CVE-2026-36324

SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting XSS due to improper handling of user supplied input in the user registration functionality in register.php...

6.1CVSS0.00031EPSS

NVD•added 2026/05/29 4:16 p.m.•8 views

CVE-2026-33386

QuickCMS is vulnerable to Cross-Site Scripting XSS through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle MITM attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a...

2.3CVSS0.00032EPSS

NVD•added 2026/05/29 4:16 p.m.•9 views

CVE-2018-25384

Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the replytext parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users'...

5.4CVSS0.00031EPSS

Exploits0References4

Rockylinux•added 2026/05/29 4:3 p.m.•12 views

qemu-kvm security update

An update is available for qemu-kvm. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Kernel-based Virtual Machine KVM is a full virtualization solution for Linu...

8.8CVSS5.7AI score0.00167EPSS

Exploits0

Patchstack•added 2026/05/29 3:17 p.m.•7 views

WordPress Booking Manager plugin <= 2.1.18 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by dodoh4t in WordPress Plugin Booking Manager versions = 2.1.18...

6.5CVSS5.8AI score0.00034EPSS

Exploits0Affected Software1

Patchstack•added 2026/05/29 3:17 p.m.•8 views

WordPress WPComplete plugin <= 2.9.5.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hhhai in WordPress Plugin WPComplete versions = 2.9.5.4...

6.5CVSS5.8AI score0.00034EPSS

Exploits0Affected Software1

EUVD•added 2026/05/29 3:12 p.m.•11 views

EUVD-2026-33339

4.8CVSS5.9AI score0.00032EPSS

Vulnrichment•added 2026/05/29 3:12 p.m.•10 views

CVE-2026-33386 XSS in QuickCMS

2.3CVSS5.9AI score0.00032EPSS

Cvelist•added 2026/05/29 3:12 p.m.•32 views

CVE-2026-33386 XSS in QuickCMS

2.3CVSS0.00032EPSS

CVE•added 2026/05/29 3:12 p.m.•10 views

CVE-2026-33386

CVE-2026-33386 affects QuickCMS. An attacker can exploit an insecure HTTP-based plugin-fetching mechanism to perform a Cross-Site Scripting (XSS) via a MITM that impersonates the opensolution.org server and serves arbitrary HTML/JavaScript at the plugin list endpoint. When a user visits the plugi...

2.3CVSS5.9AI score0.00032EPSS

ATTACKERKB•added 2026/05/29 3:12 p.m.•7 views

CVE-2026-33386

4.8CVSS5.9AI score0.00032EPSS