Lucene search
K

140 matches found

EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42012

The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator sessio...

9.8CVSS6AI score0.00303EPSS
Exploits0References1
CVE
CVE
added 2026/06/30 6:0 a.m.12 views

CVE-2026-11581

The CVE-2026-11581 entry concerns the Kali Forms — Contact Form & Drag-and-Drop Builder for WordPress, vulnerable before version 2.4.13. The form captions (columns on the form-entries admin screen) are not sanitized, allowing stored XSS where a user with Contributor-level access (or higher) can i...

5.9CVSS5.8AI score0.0014EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/30 6:0 a.m.8 views

EUVD-2026-40261

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes i...

5.9CVSS5.8AI score0.0014EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.9 views

CVE-2026-42197

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...

8.7CVSS5.7AI score0.0031EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/30 8:13 a.m.19 views

CVE-2026-45343

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth...

8.5CVSS5.9AI score0.00306EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/29 10:7 p.m.22 views

Admidio PKCS#12 private key export action lacks CSRF protection

Summary The sensitive mode=export action in modules/sso/keys.php exports a PKCS12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a...

5.8AI score0.00009EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.17 views

PT-2026-45042

Summary The sensitive mode=export action in modules/sso/keys.php exports a PKCS12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a...

4.3CVSS5.8AI score0.00009EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/06 7:42 p.m.30 views

CVE-2026-40309 Masa CMS CSRF in trash management allows unauthorized permanent deletion of deleted content

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanent...

7.2CVSS0.00165EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2026/05/05 12:0 a.m.73 views

📄 FacturaScripts 2025.43 Cross Site Scripting

FacturaScripts 2025.43 suffers from a persistent cross site scripting vulnerability in the product file upload functionality. Exploit Title: FacturaScripts 2025.43 - XSS Date: 30-12-2025 Exploit Author: VETTRIVEL U Author Profile: https://www.linkedin.com/in/vettrivel2006 Vendor Homepage:...

5.4CVSS5.3AI score0.00981EPSS
Exploits2
Exploit DB
Exploit DB
added 2026/04/29 12:0 a.m.99 views

FacturaScripts 2025.43 - XSS

Exploit Title: FacturaScripts 2025.43 - XSS Date: 30-12-2025 Exploit Author: VETTRIVEL U Author Profile: https://www.linkedin.com/in/vettrivel2006 Vendor Homepage: https://facturascripts.com/ Software Link: https://github.com/NeoRazorX/facturascripts Affected Versions: = 2025.4, = 2025.11, =...

5.4CVSS5.2AI score0.00981EPSS
Exploits2
Cvelist
Cvelist
added 2026/04/24 8:40 p.m.32 views

CVE-2026-41472 CyberPanel < 2.4.4 Stored XSS via AI Scanner Dashboard

CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI Scanner dashboard where the POST /api/ai-scanner/callback endpoint lacks authentication and allows unauthenticated attackers to inject malicious JavaScript by overwriting the findingsjson field of...

5.3CVSS0.00504EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/20 10:15 p.m.4 views

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via missing origin validation in all WebSocket endpoints. An attacker can gain unauthorized access to authenticated WebSocket sessions by tricking a logged-in administrator into visiting a malicio...

8.1CVSS5.4AI score0.00176EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/20 1:54 p.m.30 views

CVE-2026-34429 Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF8...

5.4CVSS0.00281EPSS
Exploits0References5
CVE
CVE
added 2026/04/20 1:54 p.m.14 views

CVE-2026-34429

Summary: CVE-2026-34429 affects Vvveb versions prior to 1.0.8.1. A stored XSS vulnerability exists in the media upload/rename flow when MIME-type validation is bypassed and files are renamed to executable extensions. Attackers who have media upload and rename permissions can prepend a GIF89a head...

5.4CVSS6.2AI score0.00281EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/09 9:44 p.m.4 views

EUVD-2026-21210

Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name= or...

6.5CVSS6AI score0.00107EPSS
Exploits0References1
CNVD
CNVD
added 2026/04/09 12:0 a.m.2 views

OpenClaw Authorization Bypass Vulnerability (CNVD-2026-16685)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authorization bypass vulnerability that can be exploited by an attacker to access administrator-specific session reset logic to reset the state of a target session...

6.9CVSS5.7AI score0.00096EPSS
Exploits0
NVD
NVD
added 2026/04/02 2:16 p.m.6 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS0.00196EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/16 4:55 p.m.27 views

CVE-2026-29520 Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...

6.1CVSS0.00155EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/16 4:55 p.m.2 views

CVE-2026-29520 Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...

6.1CVSS5.9AI score0.00155EPSS
Exploits0References2
OSV
OSV
added 2026/02/19 1:16 p.m.5 views

CVE-2019-25425

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the VIRUSADMIN parameter. Attackers can send POST requests to the smtpconfig endpoint with script payloads to execute arbitrary...

5.1CVSS5.9AI score0.00344EPSS
Exploits1References4
Rows per page
Query Builder