Lucene search
K

112 matches found

EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42520

The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the...

6.4CVSS6AI score0.00206EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/01 7:53 a.m.6 views

EUVD-2026-40923

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.12 views

PT-2026-51699

Name of the Vulnerable Software and Affected Versions WP Latest Posts versions prior to 5.0.12 Description The plugin is subject to Stored Cross-Site Scripting due to insufficient output escaping in the field and loop functions. These functions use a regular expression to extract the raw src...

6.4CVSS6AI score0.00207EPSS
Exploits0References9
NVD
NVD
added 2026/06/09 5:16 a.m.18 views

CVE-2026-41845

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3....

7.1CVSS0.00161EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.12 views

CVE-2026-5357

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdmmembers' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute...

6.4CVSS5.7AI score0.00302EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.8 views

CVE-2026-9065

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters 'modelname', 'modelid', 'integrationid', 'provider' on the REST API endpoint '/surecart/v1/integrations/id'. The root cause is a flawed escaping bypass in the query builder 'wp-query-builder'...

9.3CVSS5.8AI score0.00338EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/01 11:24 a.m.36 views

CVE-2026-9309 Arbitrary JavaScript execution in internal pages via Reader View JSON-LD injection

Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScrip...

0.00157EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/05/29 1:28 a.m.11 views

SUSE CVE-2025-8030

Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1...

5.3CVSS7.2AI score0.00306EPSS
Exploits0References11
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.10 views

Kysely 安全漏洞

Kysely is a type-safe TypeScript SQL query builder developed by Kysely contributors. Versions of Kysely from 0.26.0 to 0.28.16 contain security vulnerabilities. These vulnerabilities stem from the lack of escaping of JSON path metacharacters in the DefaultQueryCompiler.visitJSONPathLeg function. ...

7.5CVSS5.8AI score0.00362EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/23 6:21 a.m.19 views

Cross-site Scripting (XSS)

phpMyFAQ is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of malformed URLs in Utils::parseUrl, which allows an attacker to inject malicious JavaScript through comments and steal admin session cookies when affected pages are viewed...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References3Affected Software2
Vulnrichment
Vulnrichment
added 2026/05/20 6:46 a.m.9 views

CVE-2026-6405 Anomify AI <= 0.3.6 - Cross-Site Request Forgery

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

4.3CVSS6AI score0.00168EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.13 views

WordPress plugin SponsorMe 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.1CVSS5.6AI score0.00266EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.11 views

WordPress plugin Envira Gallery Lite 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.8AI score0.0035EPSS
Exploits0References1
VulnCheck KEV
VulnCheck KEV
added 2026/05/07 12:0 a.m.31 views

VulnCheck KEV: CVE-2026-44742

Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026...

7.2CVSS5.8AI score0.00237EPSS
In wildExploits0References2
RedhatCVE
RedhatCVE
added 2026/04/29 6:18 a.m.6 views

CVE-2026-40967

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0...

8.6CVSS5.2AI score0.00394EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/22 2:0 p.m.37 views

CVE-2026-33609 LDAP DN injection

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees...

5.3CVSS0.00242EPSS
Exploits0References1
NVD
NVD
added 2026/04/22 9:16 a.m.5 views

CVE-2026-2719

The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS0.0029EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/09 7:30 p.m.42 views

CVE-2026-34483 Apache Tomcat: Incomplete escaping of JSON access logs

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 o...

0.00461EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/04/09 9:44 a.m.118 views

Exploit for CVE-2026-34197

Fixed the issue...

8.8CVSS6.6AI score0.96666EPSS
Exploits13
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.12 views

WordPress plugin Ultimate FAQ Accordion 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

6.4CVSS5.6AI score0.00227EPSS
Exploits0References8
Rows per page
Query Builder