Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

8416 matches found

Ubuntu
Ubuntuadded 2026/04/22 5:52 p.m.9 views

USN-8198-1: Tornado vulnerabilities

It was discovered that Tornado incorrectly handled parsing of large multipart request bodies. An attacker could possibly use this issue to cause a denial of service. CVE-2026-31958 It was discovered that Tornado did not properly validate characters in cookie values. An attacker could possibly use...

8.7CVSS5.8AI score0.00375EPSS
Exploits0
Github Security Blog
Github Security Blogadded 2026/04/22 5:42 p.m.7 views

i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Summary Versions of i18nextify prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in src/localize.js replaceInside handler around line 122 only guards against a duplicated http:// origin prefix ...

4.7CVSS5.9AI score0.00144EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blogadded 2026/04/22 5:34 p.m.13 views

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References5Affected Software1
OSV
OSVadded 2026/04/22 5:31 p.m.4 views

GHSA-V9JR-RG53-9PGP DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...

6.9CVSS6AI score0.00205EPSS
Exploits0References4
EUVD
EUVDadded 2026/04/22 12:30 p.m.3 views

EUVD-2026-24717

The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's loginlink shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for...

6.4CVSS5.9AI score0.00254EPSS
Exploits0References5
NVD
NVDadded 2026/04/22 10:16 a.m.6 views

CVE-2026-1913

The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's loginlink shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for...

6.4CVSS0.00254EPSS
Exploits0References4
EUVD
EUVDadded 2026/04/22 9:31 a.m.2 views

EUVD-2026-24702

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References5
EUVD
EUVDadded 2026/04/22 9:31 a.m.4 views

EUVD-2026-24650

The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapperclass' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user...

6.4CVSS5.9AI score0.00288EPSS
Exploits0References6
EUVD
EUVDadded 2026/04/22 9:31 a.m.3 views

EUVD-2026-24644

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Th...

6.4CVSS5.9AI score0.00378EPSS
Exploits0References14
EUVD
EUVDadded 2026/04/22 9:31 a.m.2 views

EUVD-2026-24666

The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...

6.4CVSS5.9AI score0.00288EPSS
Exploits0References6
EUVD
EUVDadded 2026/04/22 9:31 a.m.2 views

EUVD-2026-24646

The Slider Bootstrap Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'category' and 'template' shortcode attributes in all versions up to and including 1.0.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attribute...

6.4CVSS5.9AI score0.00378EPSS
Exploits0References14
Cvelist
Cvelistadded 2026/04/22 9:27 a.m.25 views

CVE-2026-1913 Gallagher Website Design <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute

The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's loginlink shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for...

6.4CVSS0.00254EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/04/22 9:27 a.m.2 views

CVE-2026-1913 Gallagher Website Design <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute

The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's loginlink shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for...

6.4CVSS5.9AI score0.00254EPSS
Exploits0References4
NVD
NVDadded 2026/04/22 9:16 a.m.1 views

CVE-2026-6236

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS0.00235EPSS
Exploits0References4
NVD
NVDadded 2026/04/22 9:16 a.m.2 views

CVE-2026-4125

The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the...

6.4CVSS0.00288EPSS
Exploits0References5
NVD
NVDadded 2026/04/22 9:16 a.m.3 views

CVE-2026-4085

The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapperclass' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user...

6.4CVSS0.00288EPSS
Exploits0References5
NVD
NVDadded 2026/04/22 9:16 a.m.3 views

CVE-2026-4074

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Th...

6.4CVSS0.00378EPSS
Exploits0References13
CVE
CVEadded 2026/04/22 7:45 a.m.6 views

CVE-2026-6236

CVE-2026-6236 affects the WordPress plugin Posts map (versions up to and including 0.1.3). The root cause is insufficient input sanitization and output escaping for the 'name' shortcode attribute , leading to Stored Cross-Site Scripting. The vulnerability requires authenticated access at contribu...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/04/22 7:45 a.m.0 views

CVE-2026-6236 Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References4
ATTACKERKB
ATTACKERKBadded 2026/04/22 7:45 a.m.4 views

CVE-2026-6236

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References5
Rows per page
Query Builder