CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/06/09 12:57 p.m.•20 views

CVE-2026-11786

CVE-2026-11786 affects the 389 Directory Server (389-ds-base). The issue is a heap-out-of-bounds read in the LDIF parser when processing attribute types with trailing semicolons during database import, traced to ldif parser function str2entry_state_information_from_type(). Consequences are descri...

6.5CVSS5.6AI score0.00171EPSS

Exploits0References3Affected Software3

NVD•added 2026/06/09 5:16 a.m.•11 views

CVE-2026-7662

The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the epaperflipembed shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute whic...

6.4CVSS0.00198EPSS

NVD•added 2026/06/09 5:16 a.m.•9 views

CVE-2026-41846

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through...

6.1CVSS0.0014EPSS

Cvelist•added 2026/06/09 3:50 a.m.•30 views

CVE-2026-41846 Spring Framework Cross-site Scripting via JSP Form Tags

5.9CVSS0.0014EPSS

EUVD•added 2026/06/09 3:50 a.m.•9 views

EUVD-2026-35334

5.9CVSS5.4AI score0.0014EPSS

Vulnrichment•added 2026/06/09 3:50 a.m.•6 views

CVE-2026-41846 Spring Framework Cross-site Scripting via JSP Form Tags

5.9CVSS5.4AI score0.0014EPSS

CVE•added 2026/06/09 3:50 a.m.•23 views

CVE-2026-41846

The CVE concerns Spring Framework: JSP form tag attributes cssClass, cssErrorClass, and cssStyle in Spring MVC applications can be exploited to inject arbitrary HTML/JavaScript, enabling cross-site scripting (XSS). Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5....

6.1CVSS5.4AI score0.0014EPSS

Exploits0References1Affected Software1

EUVD•added 2026/06/09 3:41 a.m.•6 views

EUVD-2026-35317

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are...

CVE-2026-8895 kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Cvelist•added 2026/06/09 3:41 a.m.•29 views

CVE-2026-10738 jQuery Hover Footnotes <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier '...' Syntax in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00261EPSS

Exploits0References5

CVE•added 2026/06/09 3:41 a.m.•14 views

CVE-2026-7662

CVE-2026-7662 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin ePaperFlip Publisher (versions

6.4CVSS5.7AI score0.00198EPSS

Cvelist•added 2026/06/09 3:41 a.m.•28 views

CVE-2026-7662 ePaperFlip Publisher <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute

6.4CVSS0.00198EPSS

6.4CVSS5.7AI score0.00198EPSS

CVE-2026-8880 RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute and other attributes of the romancartbutton shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS5.7AI score0.00235EPSS

CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Cvelist•added 2026/06/09 3:41 a.m.•30 views

CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

6.4CVSS0.00235EPSS

EUVD•added 2026/06/09 3:41 a.m.•6 views

EUVD-2026-35303

6.4CVSS5.7AI score0.00235EPSS

CVE•added 2026/06/09 3:41 a.m.•13 views

CVE-2026-10024

CVE-2026-10024 affects the TinyMCE shortcode Addon for WordPress (versions

6.4CVSS5.7AI score0.00235EPSS

CVE•added 2026/06/09 3:41 a.m.•11 views

CVE-2026-8841

CVE-2026-8841 affects the WordPress plugin Extra Settings for RocketChat (versions ≤ 0.1). The vulnerability is a Stored Cross-Site Scripting via the rocketchat shortcode’s title attribute caused by insufficient input sanitization/output escaping in the rxstg_shortcode() function, which directly ...

CVE-2026-8841 Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...