Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

11989 matches found

Patchstack
Patchstackadded 2026/05/13 6:18 p.m.8 views

WordPress Bold Page Builder plugin <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Bold Page Builder versions = 5.6.8...

6.4CVSS5.8AI score0.00156EPSS
Exploits0References1Affected Software1
NVD
NVDadded 2026/05/13 4:16 p.m.7 views

CVE-2026-44665

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

6.1CVSS0.00194EPSS
Exploits0References1
NVD
NVDadded 2026/05/13 4:16 p.m.19 views

CVE-2026-44664

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

6.1CVSS0.00194EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/05/13 3:27 p.m.6 views

CVE-2026-44664 fast-xml-builder: Comment Value bypass regex

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

6.1CVSS5.9AI score0.00194EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/05/13 3:27 p.m.4 views

CVE-2026-44664

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

6.1CVSS5.9AI score0.00238EPSS
Exploits1References2Affected Software1
CVE
CVEadded 2026/05/13 3:27 p.m.19 views

CVE-2026-44664

The CVE concerns fast-xml-builder, which converts JSON to XML. In version 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitized -- sequences in XML comments via .replace(/--/g, '- -'), allowing an attacker to break out of a comment and inject arbitrary XML/HTML. The issue is addressed in...

6.1CVSS5.9AI score0.00194EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/13 3:27 p.m.47 views

CVE-2026-44664 fast-xml-builder: Comment Value bypass regex

fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...

6.1CVSS0.00194EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/05/13 3:24 p.m.10 views

CVE-2026-44665 fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

6.1CVSS5.8AI score0.00194EPSS
Exploits0References1
CVE
CVEadded 2026/05/13 3:24 p.m.23 views

CVE-2026-44665

Summary of CVE-2026-44665 details (from provided sources): The vulnerability affects the fast-xml-builder library, where input data containing quotes in attribute values, if the processEntities flag is not enabled, can cause an attribute value to be split into multiple attributes. This enables an...

6.1CVSS5.8AI score0.00194EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/05/13 3:24 p.m.3 views

CVE-2026-44665

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

6.1CVSS5.8AI score0.00194EPSS
Exploits0References2Affected Software1
Cvelist
Cvelistadded 2026/05/13 3:24 p.m.28 views

CVE-2026-44665 fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes

fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerabili...

6.1CVSS0.00194EPSS
Exploits0References1
Patchstack
Patchstackadded 2026/05/13 1:3 p.m.7 views

WordPress WPBakery Page Builder plugin <= 8.7.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Ethan Consulting in WordPress Plugin WPBakery Page Builder versions = 8.7.2...

5.8AI score
Exploits0Affected Software1
NVD
NVDadded 2026/05/13 1:1 p.m.7 views

CVE-2026-4782

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusiongetsvgfromfile' function with the 'customsvg' parameter of the 'fusionsectionseparator' shortcode. This makes it possible for authenticated attackers, with...

6.5CVSS0.00345EPSS
Exploits0References2
NVD
NVDadded 2026/05/13 1:1 p.m.9 views

CVE-2026-4798

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘productorder’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS0.00357EPSS
Exploits0References2
Patchstack
Patchstackadded 2026/05/13 10:46 a.m.8 views

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Fusion Builder versions = 3.15.1...

7.5CVSS5.9AI score0.00357EPSS
Exploits0References1Affected Software1
Patchstack
Patchstackadded 2026/05/13 10:40 a.m.6 views

WordPress Avada (Fusion) Builder plugin <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read vulnerability

Authenticated Subscriber+ Arbitrary File Read vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Fusion Builder versions = 3.15.2...

6.5CVSS5.8AI score0.00345EPSS
Exploits0References1Affected Software1
CVE
CVEadded 2026/05/13 9:26 a.m.14 views

CVE-2026-4782

The Wordfence-disclosed analysis confirms CVE-2026-4782 affects Avada Builder (Fusion Builder)

6.5CVSS5.9AI score0.00345EPSS
Exploits0References2
EUVD
EUVDadded 2026/05/13 9:26 a.m.19 views

EUVD-2026-29933

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusiongetsvgfromfile' function with the 'customsvg' parameter of the 'fusionsectionseparator' shortcode. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.00345EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/05/13 9:26 a.m.9 views

CVE-2026-4782 Avada Builder <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusiongetsvgfromfile' function with the 'customsvg' parameter of the 'fusionsectionseparator' shortcode. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.00345EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/05/13 9:26 a.m.3 views

CVE-2026-4782

The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusiongetsvgfromfile' function with the 'customsvg' parameter of the 'fusionsectionseparator' shortcode. This makes it possible for authenticated attackers, with...

6.5CVSS5.9AI score0.00345EPSS
Exploits0References3
Rows per page
Query Builder