CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/02/28 9:47 p.m.•11 views

CVE-2026-28558

wpForo Forum 2.4.14 is affected by a stored XSS via SVG avatar file upload. Authenticated subscribers can upload an SVG avatar containing CSS or JavaScript that executes in viewers’ browsers when viewing the attacker’s profile page. The issue is documented with CVSS v4.0 base score 5.1 (MEDIUM) a...

6.4CVSS5.8AI score0.00038EPSS

Exploits0References3Affected Software1

OSV•added 2026/02/28 12:45 p.m.•6 views

OESA-2026-1456 ImageMagick security update

Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats over 200 including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images,...

9.8CVSS6.7AI score0.00065EPSS

Exploits0References32

OSV•added 2026/02/28 12:45 p.m.•3 views

OESA-2026-1454 ImageMagick security update

9.8CVSS6.7AI score0.00065EPSS

Exploits0References32

OSV•added 2026/02/28 12:44 p.m.•6 views

OESA-2026-1452 ImageMagick security update

9.8CVSS6.7AI score0.00065EPSS

Exploits0References32

OSV•added 2026/02/27 10:23 p.m.•4 views

CVE-2026-28426 Statamic vulnerable to privilege escalation via stored cross-site scripting

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileg...

8.7CVSS5.8AI score0.00013EPSS

Exploits0References5

OSV•added 2026/02/27 2:17 a.m.•1 views

GO-2026-4553 Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure in code.vikunja.io/api...

7.3CVSS5.8AI score0.00065EPSS

Snyk•added 2026/02/27 2:17 a.m.•3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the GetTaskAttachment handler in the API attachment download component. An attacker can execute arbitrary JavaScript and expose authentication tokens by uploading an SVG attachment whose crafted filename...

7.6CVSS5.7AI score0.00065EPSS

Snyk•added 2026/02/27 2:17 a.m.•1 views

Cross-site Scripting (XSS)

7.6CVSS5.7AI score0.00065EPSS

Veracode•added 2026/02/26 5:55 a.m.•5 views

Unauthorized Code Execution

nbconvert is vulnerable to unauthorized code execution. The vulnerability is due to improper handling of SVG-to-PDF conversion on Windows where a malicious inkscape.bat file in the working directory can be executed, which allows an attacker to run arbitrary code when a user performs the conversio...

8.5CVSS6.2AI score0.00014EPSS

Exploits1References8Affected Software1

EUVD•added 2026/02/25 10:40 p.m.•2 views

EUVD-2026-8752

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure...

7.3CVSS5.3AI score0.00065EPSS

Exploits1References4

NVD•added 2026/02/25 10:16 p.m.•2 views

CVE-2026-27616

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application...

7.3CVSS0.00065EPSS

OSV•added 2026/02/25 9:37 p.m.•2 views

CVE-2026-27616 Vikunja Vulnerable to Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Upload Leading to Token Exposure

7.3CVSS5.7AI score0.00065EPSS

Exploits1References5

ATTACKERKB•added 2026/02/25 9:37 p.m.•1 views

CVE-2026-27616

7.3CVSS7.4AI score0.00065EPSS

Exploits1References4Affected Software1

Cvelist•added 2026/02/25 9:37 p.m.•18 views

CVE-2026-27616 Vikunja Vulnerable to Stored Cross-Site Scripting (XSS) via Unsanitized SVG Attachment Upload Leading to Token Exposure

7.3CVSS0.00065EPSS

Vulnrichment•added 2026/02/25 9:33 p.m.•4 views

CVE-2026-27116 Vikunja has Reflected HTML Injection via filter Parameter in Projects Module

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are blocked, , ,...

6.1CVSS5.4AI score0.00014EPSS

Exploits1References2

Snyk•added 2026/02/25 7:12 p.m.•4 views

Improper Encoding or Escaping of Output

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

Snyk•added 2026/02/25 7:12 p.m.•2 views

Improper Encoding or Escaping of Output

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Snyk•added 2026/02/25 7:12 p.m.•1 views

Improper Encoding or Escaping of Output

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Snyk•added 2026/02/25 7:12 p.m.•4 views

Improper Encoding or Escaping of Output

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...