CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

233 matches found

CVE-2026-31019

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...

8.8CVSS6.8AI score0.00119EPSS

Exploits0References1

RedhatCVE•added yesterday•2 views

CVE-2026-41518

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...

7.6CVSS5.8AI score0.00034EPSS

Exploits0References1

RedhatCVE•added yesterday•3 views

CVE-2026-42841

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters...

6.9CVSS5.6AI score0.00023EPSS

Exploits1References1

RedhatCVE•added yesterday•2 views

CVE-2026-6169

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString method which compiles user-supplied template content into PHP code and executes it via eval...

7.2CVSS6.7AI score0.00322EPSS

Exploits0References1

RedhatCVE•added yesterday•3 views

CVE-2026-48527

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

8.7CVSS5.2AI score0.00033EPSS

Exploits0References1

NVD•added 2 days ago•5 views

CVE-2026-41518

7.6CVSS0.00034EPSS

Exploits0References1

Positive Technologies•added 2 days ago•7 views

PT-2026-46317

7.6CVSS6AI score0.00034EPSS

Exploits0References2

Positive Technologies•added 4 days ago•7 views

PT-2026-45790

Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission...

5.8AI score0.0003EPSS

Exploits0References2

NVD•added 2026/05/29 1:16 p.m.•7 views

CVE-2026-48527

8.7CVSS0.00033EPSS

Exploits0References1

EUVD•added 2026/05/29 12:26 p.m.•9 views

EUVD-2026-33286

8.7CVSS5.6AI score0.00033EPSS

Exploits0References1

CVE•added 2026/05/29 12:26 p.m.•16 views

CVE-2026-48527

HAX CMS (PHP/NodeJS backends) is affected up to version 26.0.0 by a stored XSS in the /system/api/saveNode endpoint. An authenticated user with page-edit permissions can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. Affected compon...

8.7CVSS5.6AI score0.00033EPSS

Exploits0References1

CNNVD•added 2026/05/29 12:0 a.m.•6 views

HAX 安全漏洞

HAX is an open-source microsite managed using HAX+CMS with a PHP backend. Versions of HAX 26.0.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the /system/api/saveNode endpoint, which had a storage-oriented cross-site scripting vulnerability. Users with edit...

8.7CVSS5.7AI score0.00033EPSS

Exploits0References1

Positive Technologies•added 2026/05/29 12:0 a.m.•5 views

PT-2026-44828

8.7CVSS5.6AI score0.00033EPSS

Exploits0References2

Cvelist•added 2026/05/27 6:46 a.m.•25 views

CVE-2026-6169 affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

7.2CVSS0.00322EPSS

Exploits0References4

CVE•added 2026/05/27 6:46 a.m.•13 views

CVE-2026-6169

The affected product is the WordPress plugin affiliate-toolkit (versions up to 3.8.5). The root cause is the plugin using the BladeOne templating engine’s runString() to compile user-supplied template content into PHP code and then executing it via eval() without sanitization or sandboxing. This ...

7.2CVSS6.7AI score0.00322EPSS

Exploits0References4

Vulnrichment•added 2026/05/27 6:46 a.m.•5 views

CVE-2026-6169 affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

7.2CVSS6.7AI score0.00322EPSS

Exploits0References4

RedhatCVE•added 2026/05/26 11:16 a.m.•9 views

CVE-2026-4093

A flaw was found in the Drupal 7 Term Reference Tree module. This vulnerability, a type of stored Cross-Site Scripting XSS, allows an authenticated attacker with permissions to edit or create taxonomy terms to inject malicious scripts. These scripts can execute when a user views a form containing...

5.4CVSS5.8AI score0.00029EPSS

Exploits1References2

NVD•added 2026/05/23 7:16 p.m.•5 views

CVE-2018-25353

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the...

8.8CVSS0.00061EPSS

Exploits0References4

Cvelist•added 2026/05/23 6:30 p.m.•9 views

CVE-2018-25353 Redaxo CMS Mediapool Addon 5.5.1 Arbitrary File Upload

8.8CVSS0.00061EPSS

Exploits0References4

CVE•added 2026/05/23 6:30 p.m.•18 views

CVE-2018-25353

Affected software: Redaxo CMS Mediapool Addon 5.5.1 and older. Vulnerability: Arbitrary file upload via bypassing the extension blacklist, enabled by obfuscated extensions (e.g., php71, php53). Impact: Authenticated editor users can upload executable files, potentially achieving code execution (h...

8.8CVSS6AI score0.00061EPSS

Exploits0References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by