CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/13 12:0 a.m.•8 views

PT-2026-40809

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request paramete...

9.3CVSS5.9AI score0.00227EPSS

Exploits0References2

Drupal•added 2026/05/13 12:0 a.m.•9 views

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an...

5.4CVSS5.8AI score0.00177EPSS

Exploits0References2

Tenable Nessus•added 2026/05/13 12:0 a.m.•6 views

RockyLinux 8 : glib2 (RLSA-2026:15953)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:15953 advisory. glib: GLib: Buffer underflow in GVariant parser leads to heap corruption CVE-2025-14087 glib: Integer Overflow in GLib GIO Attribute Escaping Causes Hea...

9.8CVSS6.6AI score0.00754EPSS

NVD•added 2026/05/12 10:16 p.m.•6 views

CVE-2026-40863

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader Reader\Xml does not validate the ss:Index row attribute against the maximum allowed row count AddressRange::MAXROW = 1,048,576. An attack...

7.5CVSS0.00395EPSS

Exploits1References1

EUVD•added 2026/05/12 9:31 a.m.•4 views

EUVD-2026-29403

The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD•added 2026/05/12 9:31 a.m.•7 views

EUVD-2026-29400

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

EUVD•added 2026/05/12 9:31 a.m.•20 views

EUVD-2026-29396

The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

EUVD•added 2026/05/12 9:31 a.m.•24 views

EUVD-2026-29401

The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

EUVD•added 2026/05/12 9:31 a.m.•5 views

EUVD-2026-29395

The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the wpsbdpostcarousel shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

NVD•added 2026/05/12 9:16 a.m.•12 views

CVE-2026-6247

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

NVD•added 2026/05/12 9:16 a.m.•6 views

CVE-2026-6256

NVD•added 2026/05/12 9:16 a.m.•29 views

CVE-2026-4920

NVD•added 2026/05/12 9:16 a.m.•11 views

CVE-2026-2300

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterimages function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing pregreplace that does not properly handle HTML attribute boundaries when replacing sr...

6.4CVSS0.00193EPSS

Cvelist•added 2026/05/12 7:48 a.m.•36 views

CVE-2026-2300 BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block

6.4CVSS0.00193EPSS

Vulnrichment•added 2026/05/12 7:48 a.m.•6 views

CVE-2026-2300 BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block

6.4CVSS6AI score0.00193EPSS

ATTACKERKB•added 2026/05/12 7:48 a.m.•3 views

CVE-2026-6247

CVE•added 2026/05/12 7:48 a.m.•10 views

CVE-2026-6247

The CVE concerns the WordPress plugin scratchblocks for WP (versions up to 1.0.1). It is vulnerable to a Stored Cross-Site Scripting (XSS) flaw via the 'element' attribute of the scratchblocks shortcode. Exploitation requires authenticated access at Contributor level or higher , and an attacker c...

Cvelist•added 2026/05/12 7:48 a.m.•46 views

CVE-2026-6247 scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute