Lucene search
K

1430 matches found

CNNVD
CNNVD
added 2026/06/01 12:0 a.m.8 views

Orca Energija Orca heat pump 安全漏洞

Orca Energija Orca heat pump is a series of air-to-water heat pump systems developed by Orca Energija. There are security vulnerabilities in Orca Energija Orca heat pumps. These vulnerabilities stem from the lack of authentication and plaintext data transmission. Combined with the absence of...

6.3CVSS5.3AI score0.00114EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 10:41 a.m.19 views

CVE-2026-9811

CVE-2026-9811 is a stored XSS vulnerability in Mautic 7, specifically in the project selector component. The issue arises when rendering AJAX-returned project names into DOM option fields without proper sanitization; an authenticated user with project creation rights can inject malicious script v...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 8:37 a.m.10 views

CVE-2026-10058

ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...

4.8CVSS5.8AI score0.00176EPSS
Exploits0References3Affected Software1
GithubExploit
GithubExploit
added 2026/05/28 1:42 p.m.80 views

Exploit for CVE-2026-47100

CVE-2026-47100 — FunnelKit / Funnel Builder for WooCommerce Ch...

8.7CVSS5.9AI score0.00457EPSS
Exploits1
NVD
NVD
added 2026/05/27 6:16 p.m.19 views

CVE-2026-46426

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if isPublicUser or if isPublicUser ...

7.6CVSS0.00175EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/27 9:27 a.m.33 views

CVE-2026-2288 myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter

The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linktitle' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access...

4.8CVSS0.0023EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/27 7:45 a.m.33 views

CVE-2026-8906 WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

6.1CVSS0.00119EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/27 5:31 a.m.10 views

CVE-2026-8884 Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00217EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/27 5:31 a.m.7 views

CVE-2026-8846 Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...

6.4CVSS6AI score0.00187EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/27 5:31 a.m.12 views

EUVD-2026-32064

The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acces...

6.4CVSS6AI score0.00235EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.9 views

WordPress plugin BitForm 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.7AI score0.00193EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.14 views

PT-2026-43517

The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfd shortcode...

6.4CVSS6AI score0.00235EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.15 views

PT-2026-43525

The hk shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong post short title plane...

6.4CVSS6AI score0.00198EPSS
Exploits0References5
GithubExploit
GithubExploit
added 2026/05/26 11:45 a.m.73 views

XSSaudit

XSSAudit v2.0 — Advanced XSS Vulnerability Scanner For au...

6AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/22 5:21 p.m.10 views

CVE-2026-39964 TypeBot: Stored XSS via javascript: URI in text bubble links — bot author executes JS on visitors' browsers

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser...

5.4CVSS5.8AI score0.00241EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/22 3:39 a.m.9 views

CVE-2026-7509

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS6AI score0.00249EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/05/20 12:54 p.m.39 views

CVE-2026-24573 WordPress Visualizer plugin < 4.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0...

6.5CVSS0.00166EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/20 6:46 a.m.14 views

EUVD-2026-31070

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

4.3CVSS6AI score0.00168EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/20 4:35 a.m.11 views

CVE-2026-9056 Security fix for Qlik Talend Administration Center cross-site scripting vulnerability

A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user...

5.4CVSS5.5AI score0.00178EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/20 1:25 a.m.12 views

EUVD-2026-31041

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References7
Rows per page
Query Builder