CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 5 hours ago•4 views

CVE-2026-8653 MasterStudy LMS Pro Plus <= 4.8.20 - Authenticated (Instructor+) SQL Injection via 'columns' Parameter

6.5CVSS

EUVD•added 5 hours ago•3 views

EUVD-2026-34191

CVE•added 5 hours ago•5 views

CVE-2026-8653

The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to a generic SQL Injection via the 'columns' parameter in all versions up to and including 4.8.20, caused by insufficient escaping of the user-supplied value and inadequate query preparation. Authenticated attackers with instructor-l...

ATTACKERKB•added 5 hours ago•2 views

CVE-2026-8653

Positive Technologies•added 6 hours ago•2 views

PT-2026-46129

ATTACKERKB•added 2026/05/27 4:59 p.m.•3 views

CVE-2026-48149

Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parsemarkdown straight to innerHTML with no sanitizer packages/bbui/src/Markdown/MarkdownViewer.svelte:22. Any column a builder binds to a Text component in Markdown mod...

8.1CVSS5.8AI score0.00036EPSS

Exploits0References2Affected Software1

CNNVD•added 2026/05/26 12:0 a.m.•5 views

Snipe-IT 跨站脚本漏洞

Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Versions of Snipe-IT prior to 8.4.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from unescaped notes columns, which could lead to cross-site scripting attacks...

5.4CVSS5.6AI score0.00013EPSS

ATTACKERKB•added 2026/05/17 12:11 p.m.•4 views

CVE-2018-25338

Zechat 1.5 contains a SQL injection vulnerability in the hashtag parameter that allows unauthenticated attackers to extract database information using union-based techniques. Attackers can exploit the hashtag parameter with union-based payloads to retrieve table and column names...

8.8CVSS5.9AI score0.00086EPSS

Exploits0References3Affected Software1

Tenable Nessus•added 2026/05/11 12:0 a.m.•3 views

Unity Linux 20.1060e / 20.1070e Security Update: postgresql (UTSA-2026-017576)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017576 advisory. A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns...

4.3CVSS5.8AI score0.00086EPSS

Exploits0References4

Vulnrichment•added 2026/05/07 1:57 p.m.•4 views

CVE-2026-44349 Daptin fuzzy search injects unvalidated column name into raw SQL

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

7.1CVSS5.8AI score0.00017EPSS

OSV•added 2026/05/07 12:2 a.m.•0 views

GHSA-FF9Q-RM55-Q7QR diesel-async may expose uninitialized padding bytes for MySQL temporal columns

Summary diesel-async exposes uninitialized stack padding to safe code on every read of a MySQL DATE, TIME, DATETIME, or TIMESTAMP column. Reading that buffer is undefined behavior, and the leaked bytes can contain stale heap/stack contents, so this is both a soundness bug and a potential...

5.1CVSS6.1AI score