CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

122 matches found

Cvelist•added 2026/05/13 7:44 a.m.•31 views

CVE-2026-3004 Snow Monkey Blocks <= 24.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute

The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00034EPSS

Exploits0References4

Patchstack•added 2026/04/23 3:24 a.m.•3 views

WordPress Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML vulnerability

WordPress Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin = 3.5.5 - Authenticated Contributor+ Stored Cross-Site Scripting via Gutentor Block HTML vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Gutentor versions = 3.5.5...

5.4CVSS5.8AI score0.00011EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/04/20 6:26 p.m.•2 views

WordPress Website LLMs.txt plugin <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Website LLMs.txt versions = 8.2.6...

4.4CVSS5.8AI score0.00031EPSS

Exploits0References1Affected Software1

Positive Technologies•added 2026/04/13 12:0 a.m.•0 views

PT-2026-32512

Apache SkyWalking CVE-2025-54057: Stored XSS https://t.co/U4ZzTJS7iT CVE-2026-34476: SSRF via SW-URL Header in MCP Server https://t.co/zPXOQv1Xff CVE-2026-34884: SSRF via set skywalking url Tool and GraphQL Expression Injection in MCP Server https://t.co/5H4PWKYENG...

7.1CVSS5.8AI score0.00258EPSS

Exploits0References1

Vulnrichment•added 2026/04/08 4:27 a.m.•1 views

CVE-2026-3600 Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute

The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied...

6.4CVSS6.1AI score0.00015EPSS

Exploits0References6

Cvelist•added 2026/04/03 11:33 a.m.•12 views

CVE-2026-3879 Stored XSS Vulnerability

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Equipment Mailbox Details report...

7.3CVSS0.00023EPSS

Exploits0References1

Cvelist•added 2026/03/25 4:14 p.m.•25 views

CVE-2026-25465 WordPress CP Multi View Event Calendar plugin <= 1.4.36 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through = 1.4.36...

6.5CVSS0.00045EPSS

Exploits0References1

CVE•added 2026/03/21 3:26 a.m.•1 views

CVE-2026-1503

The login_register plugin for WordPress (versions up to 1.2.0) is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting due to missing nonce validation on the settings page and insufficient sanitization/escaping of the login_post parameter. This allows unauthenticated at...

4.3CVSS6AI score0.00017EPSS

Exploits0References4

Vulnrichment•added 2026/03/21 3:26 a.m.•0 views

CVE-2026-1822 WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS6AI score0.00043EPSS

Exploits0References3

EUVD•added 2026/03/21 12:31 a.m.•0 views

EUVD-2026-13925

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

6.1CVSS5.9AI score0.00043EPSS

Exploits0References8

ATTACKERKB•added 2026/03/20 11:25 p.m.•0 views

CVE-2026-3572

6.1CVSS5.9AI score0.00043EPSS

Exploits0References8

Positive Technologies•added 2026/03/20 12:0 a.m.•2 views

PT-2026-26722

6.1CVSS5.9AI score0.00043EPSS

Exploits0References8

CVE•added 2026/03/11 1:22 a.m.•10 views

CVE-2026-2324

CVE-2026-2324 affects the LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress). Up to version 5.2.7 is vulnerable due to missing/incorrect nonce validation in the reload_preview() function, enabling unauthenticated attackers to update settings and inject malicious scripts v...

6.1CVSS5.6AI score0.00017EPSS

Exploits0References2

AlpineLinux•added 2026/02/20 2:33 a.m.•1 views

CVE-2026-26993

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

5.4CVSS6AI score0.00015EPSS

Exploits1References3

Positive Technologies•added 2026/02/19 12:0 a.m.•3 views

PT-2026-20605

Name of the Vulnerable Software and Affected Versions s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress versions through 251005 Description The s2Member plugin for WordPress is susceptible to Stored Cross-Site...

6.4CVSS5.3AI score0.00048EPSS

Exploits0References7

Patchstack•added 2026/02/18 8:19 a.m.•5 views

WordPress FluentForm plugin <= 5.1.19 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Welcome Screen Fields vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Welcome Screen Fields vulnerability discovered by zer0gh0st in WordPress Plugin FluentForm versions = 5.1.19...

5.4CVSS5.5AI score0.00177EPSS

Exploits0References1Affected Software1

RedhatCVE•added 2026/01/21 12:30 a.m.•4 views

CVE-2025-67263

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting XSS vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these...

6.1CVSS5.2AI score0.00053EPSS

Exploits2References1

OSV•added 2026/01/16 7:38 p.m.•1 views

CVE-2026-23725 WeGIA Stored Cross-Site Scripting (XSS) – nome Parameter on Adopters Information Page

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting XSS vulnerability was identified in the html/pet/adotantes/cadastroadotante.php and html/pet/adotantes/informacaoadotantes.php endpoint of the WeGIA application. The application does not sanitize...

5.3CVSS5.4AI score0.00017EPSS

Exploits1References5

RedhatCVE•added 2026/01/13 10:52 p.m.•1 views

CVE-2026-0627

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes...

6.4CVSS5.3AI score0.00055EPSS

Exploits0References1

NCSC•added 2026/01/09 11:11 a.m.•4 views

Vulnerabilities fixed in GitLab

GitLab has fixed vulnerabilities in GitLab CE/EE. The vulnerabilities include several issues, including the ability for authenticated users to abuse external API calls, which could lead to a Denial-of-Service. In addition, GraphQL allowed authenticated users to make unauthorized changes to projec...

9.6CVSS6.5AI score0.00055EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by