CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

35 matches found

SUSE CVE•added 2026/05/30 1:59 a.m.•8 views

SUSE CVE-2026-49130

Music Player Daemon MPD before version 0.24.11 contains a CRLF injection vulnerability in the xspfchardata function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references...

6.9CVSS5.8AI score0.0026EPSS

Exploits0References3

RedhatCVE•added 2026/05/29 8:13 p.m.•7 views

CVE-2026-49130

6.9CVSS5.8AI score0.0026EPSS

Exploits0References1

EUVD•added 2026/05/28 7:12 p.m.•9 views

EUVD-2026-33006

6.9CVSS5.8AI score0.0026EPSS

Exploits0References7

Cvelist•added 2026/05/28 7:12 p.m.•28 views

CVE-2026-49130 Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

6.9CVSS0.0026EPSS

Exploits0References7

ATTACKERKB•added 2026/05/28 7:12 p.m.•6 views

CVE-2026-49130

6.9CVSS5.8AI score0.0026EPSS

Exploits0References7

CVE•added 2026/05/28 7:12 p.m.•12 views

CVE-2026-49130

MPD (Music Player Daemon) prior to version 0.24.11 is affected by a CRLF injection vulnerability in the XSPF playlist plugin’s xspf_char_data function. By supplying a malicious XSPF playlist that exploits XML numeric character references, an attacker can cause Expat decoding to insert literal CR/...

6.9CVSS5.8AI score0.0026EPSS

Exploits0References7

Vulnrichment•added 2026/05/28 7:12 p.m.•8 views

CVE-2026-49130 Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

6.9CVSS5.8AI score0.0026EPSS

Exploits0References7

Microsoft CVE•added 2026/05/27 8:11 a.m.•13 views

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

...

6.1CVSS5.8AI score0.00236EPSS

Exploits0

Vulnrichment•added 2026/05/22 3:1 p.m.•8 views

CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6AI score0.00236EPSS

Exploits0References4

Cvelist•added 2026/05/22 3:1 p.m.•9 views

CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

0.00236EPSS

Exploits0References4

OSV•added 2026/05/22 2:46 a.m.•8 views

GO-2026-5029 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

6.1CVSS6AI score0.00236EPSS

Exploits0References3

RedhatCVE•added 2026/04/16 5:14 p.m.•2 views

CVE-2026-5160

A flaw was found in github.com/yuin/goldmark/renderer/html. This Cross-site Scripting XSS vulnerability allows a remote attacker to execute arbitrary scripts in the context of applications that render a malicious URL. The flaw stems from an improper ordering of URL validation and normalization,...

6.1CVSS6AI score0.00287EPSS

Exploits0References5

Snyk•added 2026/03/17 7:45 p.m.•3 views

XML Entity Expansion

Overview fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue function, which doesn't protect unlimited expansion of numeric entities the way it does DOCTYPE data ...

8.7CVSS5.9AI score0.00589EPSS

Exploits2References2

Github Security Blog•added 2026/03/17 7:45 p.m.•13 views

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...

7.5CVSS6AI score0.00589EPSS

Exploits2References6Affected Software1

EUVD•added 2026/02/27 3:34 p.m.•4 views

EUVD-2025-208140

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression regex parsing when processing hex numeric character references &x...; in XML documents. This could lead to a Regular Expression Denial of Service ReDoS, impacting the availability of the affected component...

8.7CVSS5.9AI score0.01429EPSS

Exploits0References6

NVD•added 2026/02/27 2:16 p.m.•5 views

CVE-2025-10990

7.5CVSS0.00417EPSS

Exploits0References5

ATTACKERKB•added 2026/02/27 1:32 p.m.•5 views

CVE-2025-10990

8.7CVSS5.9AI score0.01429EPSS

Exploits0References6

CVE•added 2026/02/27 1:32 p.m.•13 views

CVE-2025-10990

CVE-2025-10990 affects REXML and describes a Regular Expression Denial of Service (ReDoS) due to inefficient regex parsing of hex numeric character references (&#x...;) in XML. This is noted as the incomplete fix of CVE-2024-49761. The provided documents do not specify affected versions or explic...

7.5CVSS6.8AI score0.00417EPSS

Exploits0References5

Vulnrichment•added 2026/02/27 1:32 p.m.•1 views

CVE-2025-10990 Rexml: rexml: denial of service via inefficient regex parsing

7.5CVSS6.8AI score0.00417EPSS

Exploits0References5

SUSE CVE•added 2025/12/24 12:24 a.m.•1 views

SUSE CVE-2025-66400

mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple unprefixed classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This...

6.9CVSS6.7AI score0.00251EPSS

Exploits0References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by