CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

15529 matches found

EUVD•added 2026/04/23 7:53 p.m.•4 views

EUVD-2026-25298

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, th...

8.2CVSS5.8AI score0.00124EPSS

Exploits1References1

ATTACKERKB•added 2026/04/23 7:53 p.m.•5 views

CVE-2026-41279

8.2CVSS5.8AI score0.00124EPSS

Exploits1References2Affected Software1

OSV•added 2026/04/23 12:1 p.m.•2 views

RLSA-2026:9345 Important: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: libpng: libpng: Arbitrary code execution due to use-after-free vulnerability CVE-2026-33416 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion...

8.8CVSS6.7AI score0.00071EPSS

Exploits1References6

Rockylinux•added 2026/04/23 12:1 p.m.•5 views

thunderbird security update

An update is available for thunderbird. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Mozilla Thunderbird is a standalone mail and newsgroup client. Security...

9.8CVSS6.7AI score0.00071EPSS

Exploits1

SUSE CVE•added 2026/04/23 1:29 a.m.•3 views

SUSE CVE-2026-0540

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex. Attacke...

6.1CVSS7.2AI score0.00014EPSS

Exploits0References3

Tenable Nessus•added 2026/04/23 12:0 a.m.•3 views

RockyLinux 8 : thunderbird (RLSA-2026:9345)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:9345 advisory. libpng: libpng: Arbitrary code execution due to use-after-free vulnerability CVE-2026-33416 libpng: libpng: Information disclosure and denial of service...

9.8CVSS6.5AI score0.00071EPSS

Exploits1References11

Packet Storm•added 2026/04/23 12:0 a.m.•76 views

📄 SocialEngine 7.8.0 SQL Injection

SocialEngine versions 7.8.0 and below suffer from a remote SQL injection vulnerability. User input passed through the text request parameter to the /activity/index/get-memberall endpoint is not properly sanitized before being used to construct an SQL query...

9.8CVSS5.8AI score0.00525EPSS

Exploits2

Positive Technologies•added 2026/04/23 12:0 a.m.•3 views

PT-2026-34664

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

9.8CVSS6.3AI score0.00525EPSS

Exploits2References5

Positive Technologies•added 2026/04/23 12:0 a.m.•3 views

PT-2026-34747

8.2CVSS5.8AI score0.00124EPSS

Exploits1References2

CNNVD•added 2026/04/23 12:0 a.m.•7 views

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a security vulnerability. This vulnerability stemmed from the text-to-speech generation endpoint accepting direct credentials IDs, allowing...

8.2CVSS5.7AI score0.00124EPSS

Exploits1References1

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24692

The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ts shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

6.4CVSS5.9AI score0.00012EPSS

Exploits0References4

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24652

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...

6.4CVSS5.9AI score0.00027EPSS

Exploits0References10

EUVD•added 2026/04/22 9:31 a.m.•4 views

EUVD-2026-24654

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...

6.4CVSS5.9AI score0.00014EPSS

Exploits0References6

NVD•added 2026/04/22 9:16 a.m.•2 views

CVE-2026-5748

6.4CVSS0.00012EPSS

Exploits0References3

NVD•added 2026/04/22 9:16 a.m.•3 views

CVE-2026-4089

6.4CVSS0.00014EPSS

Exploits0References5

Vulnrichment•added 2026/04/22 7:45 a.m.•1 views

CVE-2026-5748 Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w' Shortcode Attribute

6.4CVSS5.9AI score0.00012EPSS

Exploits0References3

ATTACKERKB•added 2026/04/22 7:45 a.m.•3 views

CVE-2026-5748

6.4CVSS5.9AI score0.00012EPSS

Exploits0References4

CVE•added 2026/04/22 7:45 a.m.•7 views

CVE-2026-5748

CVE-2026-5748 describes a Stored Cross-Site Scripting vulnerability in the Text Snippets WordPress plugin (versions up to 0.0.1) where the ts shortcode attribute is not properly sanitized/escaped. Authenticated attackers with contributor-level access can inject scripts into pages, which execute f...

6.4CVSS5.9AI score0.00012EPSS

Exploits0References3