Lucene search
K

59 matches found

EUVD
EUVD
added 4 days ago6 views

EUVD-2026-43120

The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the...

6.4CVSS6.2AI score0.00259EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/03 1:28 a.m.43 views

CVE-2026-12731 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes in all versions up to, and including, 2.3.0 due to insufficient input sanitization and outpu...

6.4CVSS0.00206EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/01 3:43 a.m.9 views

EUVD-2026-40888

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockid' and other shortcode attributes of the 'givewpcampaigncomments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitizati...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References12
Cvelist
Cvelist
added 2026/06/24 9:15 p.m.16 views

CVE-2026-54068 SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint...

5.9CVSS0.00239EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 4:29 p.m.2 views

CVE-2026-53041 ocfs2: fix listxattr handling when the buffer is full

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full BUG If an OCFS2 inode has both inline and block-based xattrs, listxattr can return a size larger than the caller's buffer when the inline names consume that buffer exactly...

7.1CVSS6AI score0.00126EPSS
Exploits0References11
GithubExploit
GithubExploit
added 2026/06/08 2:29 p.m.95 views

Exploit for CVE-2026-7465

CVE-2026-7465 - Spectra Gutenberg Blocks Local Lab Local Dock...

8.8CVSS5.8AI score0.01174EPSS
Exploits3
CVE
CVE
added 2026/05/30 9:29 a.m.79 views

CVE-2026-7465

Summary (supported by provided documents): CVE-2026-7465 affects the WordPress plugin Spectra Gutenberg Blocks (ultimate-addons-for-gutenberg). In versions up to and including 2.19.25, an authenticated Contributor can influence post block attributes in uagb/* blocks, which are dynamically registe...

8.8CVSS6.1AI score0.01174EPSS
In wildExploits3References6
ATTACKERKB
ATTACKERKB
added 2026/05/28 5:30 a.m.10 views

CVE-2026-3173

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS5.9AI score0.00243EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/04/17 2:3 a.m.10 views

WordPress Kubio AI Page Builder plugin <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes vulnerability

Missing Authorization to Authenticated Contributor+ Limited File Upload via Kubio Block Attributes vulnerability discovered by oolongeya - Dreamhack in WordPress Plugin Kubio AI Page Builder versions = 2.7.2...

5.3CVSS5.8AI score0.00536EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/01 12:5 a.m.11 views

EUVD-2026-17685

SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution...

8.6CVSS6.2AI score0.00343EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/31 9:47 p.m.4 views

CVE-2026-34585

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document,...

8.6CVSS6.4AI score0.00343EPSS
Exploits1References4Affected Software1
Patchstack
Patchstack
added 2026/03/19 10:8 p.m.7 views

WordPress Info Cards plugin <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Block Attributes vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Info Cards versions = 2.0.7...

6.4CVSS5.8AI score0.00222EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/19 6:46 a.m.28 views

CVE-2026-4120 Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes

The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and including, 2.0.7. This is due to insufficient input validation on URL schemes, specifically the...

6.4CVSS0.00222EPSS
Exploits0References8
CVE
CVE
added 2026/02/19 9:26 a.m.14 views

CVE-2026-2718

CVE-2026-2718 — Dealia for WordPress stores cross-site scripting via Gutenberg block attributes in all versions up to 1.0.8. Root cause: escaping in HTML attribute contexts relies on wp_kses() where esc_attr() is required, allowing authenticated attackers with Contributor+ access to inject script...

6.4CVSS6.1AI score0.00188EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.6 views

PT-2026-20795

The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.6. This is due to the use of wp kses for output escaping within HTML attribute contexts where esc attr is required. This makes it...

6.4CVSS5.7AI score0.00188EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.10 views

WordPress plugin Yoast SEO 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.4CVSS5.8AI score0.00188EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/01/20 8:22 p.m.5 views

CVE-2026-23852

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting XSS vulnerability that allows an attacker to inject arbitrary HTML attributes into the icon attribute of a block via the /api/attr/setBlockAttrs API. The payload is later rendered in the...

9.6CVSS6.6AI score0.00679EPSS
Exploits1References1
NVD
NVD
added 2026/01/19 8:15 p.m.10 views

CVE-2026-23852

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting XSS vulnerability that allows an attacker to inject arbitrary HTML attributes into the icon attribute of a block via the /api/attr/setBlockAttrs API. The payload is later rendered in the...

9.6CVSS0.00679EPSS
Exploits1References2
OSV
OSV
added 2026/01/19 8:0 p.m.6 views

CVE-2026-23852 SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting XSS vulnerability that allows an attacker to inject arbitrary HTML attributes into the icon attribute of a block via the /api/attr/setBlockAttrs API. The payload is later rendered in the...

6.5CVSS6.6AI score0.00679EPSS
Exploits1References4
EUVD
EUVD
added 2026/01/19 8:0 p.m.5 views

EUVD-2026-3290

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting XSS vulnerability that allows an attacker to inject arbitrary HTML attributes into the icon attribute of a block via the /api/attr/setBlockAttrs API. The payload is later rendered in the...

6.5CVSS6.6AI score0.00679EPSS
Exploits1References2
Rows per page
Query Builder