CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 3 days ago•7 views

CVE-2026-5362

An authenticated attacker with permission to edit document content can store crafted HTML/JavaScript in a Document embed editable and cause script execution when the published page is rendered. This issue affects pimcore: v12.3.3...

5.4CVSS5.7AI score0.00004EPSS

4.9CVSS5.7AI score0.00013EPSS

CVE-2026-4811

The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This mak...

5.4CVSS5.3AI score0.00031EPSS

CVE-2026-40230

Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0...

6.1CVSS5.2AI score0.00035EPSS

CVE-2026-39336

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

4.9CVSS5.6AI score0.00054EPSS

CVE-2026-26067

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the...

8.1CVSS5.4AI score0.00038EPSS

CVE-2026-44654

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through DELETE /api/files that the owner has reused across multiple agents. The deletion removes the file globally — not just from the...

5.7CVSS5.8AI score0.00043EPSS

CVE-2026-35451

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting XSS vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: U...

7.8CVSS6.1AI score0.00032EPSS

CVE-2026-43943

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution RCE vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system edito...

RedhatCVE•added 3 days ago•7 views

CVE-2026-43937

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and...

8.8CVSS6AI score0.00029EPSS

7.6CVSS5.6AI score0.00036EPSS

CVE-2026-45213

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a through = 1.1.7.1...

7.2CVSS5.6AI score0.00047EPSS

CVE-2026-22315

Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server...

8.8CVSS5.7AI score0.00039EPSS

CVE-2026-39326

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...

8.6CVSS6.1AI score0.00018EPSS

CVE-2026-44461

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

RedhatCVE•added 3 days ago•6 views

CVE-2026-44887

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

9.8CVSS5.8AI score0.00255EPSS

RedhatCVE•added 3 days ago•3 views

CVE-2026-44465

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution RCE when a victim open a folder in untrusted mode...

8.6CVSS5.9AI score0.00057EPSS

RedhatCVE•added 3 days ago•3 views

CVE-2026-8203

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential...

7.3CVSS5.5AI score0.00025EPSS

RedhatCVE•added 3 days ago•6 views

CVE-2026-35574

ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting XSS vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including...

8.7CVSS5.9AI score0.00038EPSS