CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 10 hours ago•4 views

CVE-2024-47263

CVE-2024-47263 affects Synology Hyper Backup’s Backup.Repository webapi component. The vulnerability is a path traversal in versions prior to 4.1.2-4036 that allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information through unspec...

4.1CVSS5.8AI score

ATTACKERKB•added 10 hours ago•3 views

CVE-2024-47263

4.1CVSS5.8AI score

Nuclei•added 17 hours ago•6 views

Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Skitter Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. id: CVE-2025-28906 info: name: Skitter Slideshow = 2.5.2 - Authenticated Administrator+ Stored Cross-Site...

5.9CVSS7.3AI score0.0007EPSS

Exploits0References3

CVE•added yesterday•9 views

CVE-2026-7421

The Passeum Ticketing plugin for WordPress (all versions up to 1.0) is vulnerable to Stored XSS when the shop_name setting starts with http. The get_shop_url() method returns the raw shop_name without sufficient sanitization, and validate_shop_name() only checks for emptiness and type, allowing a...

4.4CVSS6AI score

Vulnrichment•added yesterday•3 views

CVE-2026-7421 Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the getshopurl method returning the shopname setting value without sanitization when it begins with "http", combined with insufficient validation in th...

4.4CVSS6AI score

NVD•added 5 days ago•9 views

CVE-2026-39276

The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or...

7.2CVSS0.00178EPSS

CVE•added 5 days ago•12 views

CVE-2026-10039

The CVE-2026-10039 entry concerns the WordPress plugin Frontend Admin by DynamiApps. Affected versions up to and including 3.28.28 are vulnerable to a generic SQL Injection via the 'order' parameter due to insufficient escaping of user input and inadequate preparation of the existing SQL query. A...

4.9CVSS6AI score0.00027EPSS

Exploits0References6

Positive Technologies•added 5 days ago•6 views

PT-2026-44901

6.1AI score0.00178EPSS

Exploits0References3

CNNVD•added 5 days ago•4 views

Emlog Pro 安全漏洞

Emlog Pro is an open-source blog system developed by Emlog. Version 2.6.9 of Emlog Pro contains a security vulnerability, which stems from a path traversal vulnerability in the template upload function. This vulnerability allows authenticated administrators to execute arbitrary PHP code. By...

7.2CVSS6.1AI score0.00178EPSS

ATTACKERKB•added 5 days ago•4 views

CVE-2026-39276

6.1AI score0.00178EPSS

Exploits0References3

EUVD•added 5 days ago•7 views

EUVD-2026-33351

7.2CVSS6.1AI score0.00178EPSS

CVE•added 2026/05/27 9:27 a.m.•9 views

CVE-2026-2288

CVE-2026-2288 affects the WordPress plugin myLinksDump (versions up to 1.6). The vulnerability is a Stored Cross-Site Scripting flaw triggered by the attack vector through the public-facing parameter 'link_title', caused by insufficient input sanitization and output escaping. Authentication requi...

4.8CVSS6AI score0.00032EPSS

Exploits0References5

Cvelist•added 2026/05/27 9:27 a.m.•22 views

CVE-2026-2280 rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings

The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.8CVSS0.00025EPSS

Exploits0References5

Vulnrichment•added 2026/05/27 9:27 a.m.•7 views

CVE-2026-2280 rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings

4.8CVSS6AI score0.00025EPSS

Exploits0References5

EUVD•added 2026/05/27 8:29 a.m.•7 views

EUVD-2024-55595

Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors...

4.9CVSS5.8AI score0.00021EPSS

Cvelist•added 2026/05/27 8:29 a.m.•25 views

CVE-2024-47269

4.9CVSS0.00021EPSS

Cvelist•added 2026/05/27 6:46 a.m.•23 views

CVE-2026-7618 EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS0.00036EPSS

Vulnrichment•added 2026/05/27 6:46 a.m.•3 views

CVE-2026-7618 EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

4.9CVSS5.9AI score0.00036EPSS

NVD•added 2026/05/26 3:16 p.m.•8 views

CVE-2026-42785

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...

8.6CVSS0.00549EPSS