CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/28 6:45 a.m.•11 views

EUVD-2026-32733

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the filtervideos method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the...

6.4CVSS5.8AI score0.00206EPSS

Vulnrichment•added 2026/05/28 6:45 a.m.•8 views

CVE-2026-6427 a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element

6.4CVSS5.8AI score0.00206EPSS

EUVD•added 2026/05/28 6:45 a.m.•6 views

EUVD-2026-32731

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...

4.3CVSS5.7AI score0.00135EPSS

Vulnrichment•added 2026/05/28 6:45 a.m.•7 views

CVE-2026-9618 PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink

4.3CVSS5.7AI score0.00135EPSS

Cvelist•added 2026/05/28 6:45 a.m.•35 views

CVE-2026-9618 PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink

4.3CVSS0.00135EPSS

NVD•added 2026/05/28 6:16 a.m.•10 views

CVE-2026-7533

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the handleoauthredirect function, which is registered on the admininit hook and processes Square OAuth tokens from ...

4.3CVSS0.00135EPSS

ICS•added 2026/05/28 6:0 a.m.•9 views

XCharge C6

ADVISORY SUMMARY Successful exploitation of these vulnerabilities could allow an attacker to gain administrator rights or execute code on the affected device. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities...

6.3AI score

Exploits0References13

ICS•added 2026/05/28 6:0 a.m.•14 views

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter

ADVISORY SUMMARY Successful exploitation of this vulnerability could result in an attacker gaining administrator access to the device. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for...

9.8CVSS5.8AI score0.00529EPSS

Exploits0References11

ATTACKERKB•added 2026/05/28 5:30 a.m.•10 views

CVE-2026-7533

4.3CVSS5.8AI score0.00135EPSS

Exploits0References9

EUVD•added 2026/05/28 5:30 a.m.•7 views

EUVD-2026-32725

4.3CVSS5.8AI score0.00135EPSS

NVD•added 2026/05/28 5:16 a.m.•12 views

CVE-2026-9795

A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security...

7.3CVSS0.00223EPSS

NVD•added 2026/05/28 5:16 a.m.•12 views

CVE-2026-9796

A flaw was found in Keycloak. An authenticated administrator with the manage-clients role can exploit a Time-of-check to time-of-use TOCTOU vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to realm-admin for all users within the realm,...

6.5CVSS0.00186EPSS

NVD•added 2026/05/28 5:16 a.m.•13 views

CVE-2026-7802

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8.8CVSS0.00402EPSS

Exploits0References14

NVD•added 2026/05/28 5:16 a.m.•12 views

CVE-2026-2374

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

7.2CVSS0.00241EPSS

Exploits0References7

EUVD•added 2026/05/28 4:27 a.m.•8 views

EUVD-2026-32716

Vulnrichment•added 2026/05/28 4:27 a.m.•5 views

CVE-2026-9796 Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability

ATTACKERKB•added 2026/05/28 4:27 a.m.•6 views

CVE-2026-9796

CVE•added 2026/05/28 4:27 a.m.•62 views

Exploits0References3

CVE-2026-9796

This CVE (CVE-2026-9796) affects Keycloak. An authenticated administrator with the manage-clients role can trigger a TOCTOU flaw in the name-based admin role checks, allowing escalation to realm-admin for all users in the realm. The compromised composite role relationship persists after the attac...