Lucene search
K

5859 matches found

Nuclei
Nuclei
added yesterday27 views

mTheme Unus < 2.3 - Directory Traversal

The mTheme-Unus theme for WordPress, prior to version 2.3, contained a directory traversal flaw that let attackers access arbitrary files. This was possible by exploiting the files parameter in css/css.php with .. sequences. id: CVE-2015-9406 info: name: mTheme Unus 2.3 - Directory Traversal...

7.5CVSS7.1AI score0.55008EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday20 views

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...

6.1CVSS6.8AI score0.01582EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday21 views

FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution

Custom css-js-php WordPress plugin through 2.0.7 contains a command injection caused by unsanitized user input used in SQL query and passed to eval, letting unauthenticated attackers execute arbitrary PHP code on the server. id: CVE-2026-6433 info: name: FlipperCode Custom CSS, JS & PHP = 2.0.7 -...

7.3CVSS7.3AI score0.00753EPSS
Exploits3References4
NVD
NVD
added 3 days ago7 views

CVE-2026-9738

The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'contentpositioncss' parameter in all versions up to, and including, 5.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS0.00208EPSS
Exploits0References8
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43136

The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'contentpositioncss' parameter in all versions up to, and including, 5.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-57402

Name of the Vulnerable Software and Affected Versions Print, PDF, Email by PrintFriendly for WordPress versions prior to 5.5.11 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level access and...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References11
NVD
NVD
added 4 days ago5 views

CVE-2026-55481

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, default.blade.php renders headercolor and related branding color settings inside a CSS style block with HTML escaping that is insufficient for the CSS context, allowing a superadmin to inject arbitrary CSS that affects authenticat...

6.2CVSS0.00389EPSS
Exploits0References4
CVE
CVE
added 4 days ago7 views

CVE-2026-55481

Snipe-IT (IT asset/license management) prior to 8.6.2 is affected by a CSS injection vulnerability in default.blade.php: header_color and related branding color settings are rendered inside a CSS style block with insufficient HTML escaping for the CSS context. This allows a superadmin to inject a...

6.2CVSS6.2AI score0.00389EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-39123

SiYuan: Stored XSS to RCE via CSS-snippet breakout in renderSnippet...

9.9CVSS6.1AI score0.00307EPSS
Exploits0References2
NVD
NVD
added 4 days ago6 views

CVE-2026-59791

In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible...

3.5CVSS0.00135EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-59791

In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible...

3.5CVSS0.00135EPSS
Exploits0References1
NVD
NVD
added 4 days ago8 views

CVE-2026-13347

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...

7.5CVSS0.00512EPSS
Exploits0References3
CVE
CVE
added 4 days ago15 views

CVE-2026-13347

The CVE-2026-13347 entry documents an unauthenticated Arbitrary File Read in WordPress Hide My WP Lite (versions ≤ 1.3) via the he_wrapper_js and he_wrapper_css parameters. The vulnerability stems from elementor_assets_filter() concatenating user input onto ABSPATH and passing it to file_get_cont...

7.5CVSS6.1AI score0.00512EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 4 days ago8 views

CVE-2026-13347

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...

7.5CVSS6.1AI score0.00512EPSS
Exploits0References4
Fedora
Fedora
added 5 days ago8 views

[SECURITY] Fedora 43 Update: perl-CSS-Minifier-XS-0.15-1.fc43

'CSS::Minifier::XS' is a CSS "minifier". It's designed to remove unnecessary white-space and comments from CSS files, while also not breaking the CSS. 'CSS::Minifier::XS' is similar in function to 'CSS::Minifier', but is substantially faster as it's written in XS and not just pure Perl...

6.5CVSS5.9AI score0.00238EPSS
Exploits0
Fedora
Fedora
added 5 days ago8 views

[SECURITY] Fedora 44 Update: perl-CSS-Minifier-XS-0.15-1.fc44

'CSS::Minifier::XS' is a CSS "minifier". It's designed to remove unnecessary white-space and comments from CSS files, while also not breaking the CSS. 'CSS::Minifier::XS' is similar in function to 'CSS::Minifier', but is substantially faster as it's written in XS and not just pure Perl...

6.5CVSS5.9AI score0.00238EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 6 days ago4 views

CVE-2026-59895

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.0.0 before 4.12.27, cx in hono/css composes class names from plain strings but marks the result as already escaped without HTML-escaping the input, allowing untrusted className values used in a JSX class...

6.1CVSS6.1AI score0.00187EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-58657 Grav - Stored CSS Injection via Markdown Image resize() Action

Grav before 2.0.0 affected through 2.0.0-rc.9 and the 2.0 branch contains a stored CSS injection vulnerability in the Markdown image resize media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute fallbacks, but the resize action in Excerpts::processMediaActions...

4.8CVSS0.00217EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-9731

The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the pluginsettings function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS0.00128EPSS
Exploits0References5
EUVD
EUVD
added 6 days ago6 views

EUVD-2026-42173

The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the pluginsettings function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS5.9AI score0.00128EPSS
Exploits0References5
Rows per page
Query Builder