CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

55 matches found

RedhatCVE•added 2026/06/06 6:43 p.m.•10 views

CVE-2026-50231

Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in the log viewer that allows attackers to inject malicious scripts by exploiting unescaped template variables. Attackers can inject XSS payloads through search, lines, and path query parameters or by...

7.2CVSS5.6AI score0.00183EPSS

Exploits2References1

CVE•added 2026/06/05 1:24 p.m.•13 views

CVE-2026-50231

CVE-2026-50231 – Lyrion Music Server 9.2.0 suffers an unauthenticated stored XSS in the log viewer. The root cause is unescaped template variables, enabling attackers to inject scripts via search/lines/path query parameters or logged values (URLs, User-Agent, stream titles, player names) to run i...

7.2CVSS5.6AI score0.00183EPSS

Exploits2References2

ATTACKERKB•added 2026/06/05 1:24 p.m.•5 views

CVE-2026-50231

7.2CVSS5.6AI score0.00183EPSS

Exploits2References3Affected Software1

Vulnrichment•added 2026/06/05 1:24 p.m.•6 views

CVE-2026-50231 Lyrion Music Server 9.2.0 Unauthenticated Stored XSS via server.log

7.2CVSS5.6AI score0.00183EPSS

Exploits2References2

Positive Technologies•added 2026/05/06 12:0 a.m.•9 views

PT-2026-37353

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters first name, last name, phone, notes bypass...

6.4CVSS6AI score0.00339EPSS

Exploits0References12

Packet Storm•added 2026/04/30 12:0 a.m.•56 views

📄 GoAnywhere MFT 7.9.1 HTML Injection

GoAnywhere MFT versions prior to 7.10.0 are affected by an HTML injection vulnerability in the email templating functionality. If an attacker is able to influence the content of a template variable, malicious HTML can be embedded into outgoing emails generated by the application. As these message...

5.4CVSS5.5AI score0.00155EPSS

Exploits1

RedhatCVE•added 2026/04/03 11:1 p.m.•4 views

CVE-2026-34825

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who...

8.5CVSS6AI score0.00406EPSS

Exploits1References1

NVD•added 2026/04/02 8:16 p.m.•3 views

CVE-2026-34825

8.5CVSS0.00406EPSS

Exploits1References3

ATTACKERKB•added 2026/04/02 7:6 p.m.•3 views

CVE-2026-34825

8.5CVSS5.9AI score0.00406EPSS

Exploits1References4Affected Software1

Vulnrichment•added 2026/04/02 7:6 p.m.•4 views

CVE-2026-34825 NocoBase Has SQL Injection via template variable substitution in workflow SQL node

8.5CVSS6AI score0.00406EPSS

Exploits1References3

Cvelist•added 2026/04/02 7:6 p.m.•22 views

CVE-2026-34825 NocoBase Has SQL Injection via template variable substitution in workflow SQL node

8.5CVSS0.00406EPSS

Exploits1References3

CVE•added 2026/04/02 7:6 p.m.•9 views

CVE-2026-34825

Summary (CVE-2026-34825) NocoBase’s plugin-workflow-sql component (pre-2.0.30) builds SQL by substituting template variables directly into raw SQL strings via getParsedValue(), with no parameterization or escaping. An attacker who triggers a workflow containing a SQL node using user-controlled da...

8.5CVSS5.9AI score0.00406EPSS

Exploits1References3Affected Software1

OSV•added 2026/04/01 11:44 p.m.•2 views

GHSA-VX58-FWWQ-5G8J NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...

8.5CVSS6.3AI score0.00406EPSS

Exploits1References5

Github Security Blog•added 2026/04/01 11:44 p.m.•7 views

NocoBase Has SQL Injection via template variable substitution in workflow SQL node

8.5CVSS6.3AI score0.00406EPSS

Exploits1References5Affected Software1

SUSE CVE•added 2026/03/28 12:27 a.m.•2 views

SUSE CVE-2026-32301

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...

9.3CVSS5.9AI score0.00258EPSS

Exploits1References3

RedhatCVE•added 2026/03/26 3:2 p.m.•1 views

CVE-2026-32301

9.3CVSS5.8AI score0.00258EPSS

Exploits1References1

Snyk•added 2026/03/25 7:41 p.m.•2 views

Cross-site Scripting (XSS)

Overview prestashop/prestashop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. Affected versions of this package are vulnerable to Cross-site Scripting XSS in unprotected template variables in the back-office. An...

7.6CVSS5.9AI score0.0027EPSS

Exploits0References2

Positive Technologies•added 2026/03/25 12:0 a.m.•6 views

PT-2026-28174

Name of the Vulnerable Software and Affected Versions PrestaShop versions prior to 8.2.5 PrestaShop versions prior to 9.1.0 Description PrestaShop is susceptible to stored Cross-Site Scripting stored XSS issues within the back-office BO. An attacker capable of injecting data into the database,...

7.6CVSS5.8AI score0.0027EPSS

Exploits0References8

Snyk•added 2026/03/13 8:3 p.m.•1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS

Exploits1References2