CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

2446424 matches found

WordPress Loco Translate < 2.6.1 - Cross-Site Scripting

Loco Translate WordPress plugin before 2.6.1 contains a stored cross-site scripting vulnerability caused by improper removal of inline events from source translation strings, allowing authenticated users to inject arbitrary JavaScript payloads. id: CVE-2022-0765 info: name: WordPress Loco Transla...

5.4CVSS5.5AI score0.02742EPSS

Exploits4References3

Nuclei•added 10 hours ago•10 views

KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution

The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file i.e., \\sms,...

9.8CVSS8.4AI score0.78409EPSS

Exploits0References2

Nuclei•added 10 hours ago•12 views

Datart v1.0.0-rc.3 - Remote Code Execution

Datart v1.0.0-rc.3 contains a vulnerability that allows remote attackers to execute arbitrary code via INIT connection parameters. id: CVE-2025-56819 info: name: Datart v1.0.0-rc.3 - Remote Code Execution author: Redmomn severity: critical description: | Datart v1.0.0-rc.3 contains a vulnerabilit...

9.8CVSS6AI score0.11188EPSS

Exploits0References3

Nuclei•added 10 hours ago•14 views

TinaCMS - Path Traversal

TinaCMS CLI 2.1.8 contains a file system read vulnerability caused by disabled Vite server.fs.strict setting, letting unauthenticated attackers read arbitrary files on the host system, exploit requires access to the dev server. id: CVE-2026-29066 info: name: TinaCMS - Path Traversal author:...

6.2CVSS5.4AI score0.06479EPSS

Exploits1References2

Nuclei•added 10 hours ago•10 views

WordPress Media Library Assistant <= 3.34 - SQL Injection

David Lingren Media Library Assistant = 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input. id: CVE-2026-34885 info: name: WordPress Media Library Assistant = 3.34 -...

8.5CVSS6AI score0.09208EPSS

Exploits0References3

Nuclei•added 10 hours ago•9 views

DedeCMS - Open Redirect via download.php

Dedecms 5.71sp1 and earlier contain a URL redirect caused by a logic error that does not properly validate GET request input, letting attackers redirect users to arbitrary URLs, exploit requires sending crafted GET requests. id: CVE-2024-57241 info: name: DedeCMS - Open Redirect via download.php...

6.5CVSS5.3AI score0.19399EPSS

Exploits0References2

Nuclei•added 10 hours ago•11 views

RosarioSIS 6.7.2 - Cross-Site Scripting

RosarioSIS version 6.7.2 and earlier contains a reflected cross-site scripting XSS vulnerability in the Preferences module. The 'tab' parameter in Modules.php is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code via a crafted URL. id: CVE-2020-15718 info: name:...

6.1CVSS6.1AI score0.10197EPSS

Exploits2

Nuclei•added 10 hours ago•14 views

ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection

ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the albumid parameter in the /photo-gallery/api/album/treelists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further...

9.8CVSS8.9AI score0.19665EPSS

Exploits7References2

Nuclei•added 10 hours ago•14 views

Dell UnityVSA < 5.5 - Remote Command Injection

Dell Unity, versions 5.5 and prior, contains an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability. id: CVE-2025-36604 info: name: Dell UnityVSA 5.5 - Remote Command Injection author: DhiyaneshDK,watchtowr severity: critical description: | Dell...

9.8CVSS5.8AI score0.16701EPSS

Exploits1References3

Nuclei•added 10 hours ago•18 views

Responsive Pricing Table <= 5.1.12 - Cross-Site Scripting

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

6.4CVSS5.5AI score0.00662EPSS

Exploits0References3

Nuclei•added 10 hours ago•21 views

Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...

9.8CVSS7.9AI score0.9188EPSS

Exploits6References3

Nuclei•added 10 hours ago•18 views

XWiki Platform - SQL Injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an...

9.8CVSS8.5AI score0.34913EPSS

Exploits6References2

Nuclei•added 10 hours ago•20 views

Code-Projects School Fees Payment System 1.0 - SQL Injection

A vulnerability was found in code-projects School Fees Payment System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /student.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been...

9.8CVSS7AI score0.01527EPSS

Exploits1References5

Nuclei•added 10 hours ago•12 views

Simple File List < 6.1.13 - Reflected Cross-Site Scripting

Simple File List WordPress plugin \u003C 6.1.13 contains a reflected cross-site scripting caused by unsanitized URL output in an attribute, letting attackers execute malicious scripts in admin browsers, exploit requires victim to be an admin. id: CVE-2024-10146 info: name: Simple File List 6.1.13...

5.4CVSS5AI score0.00938EPSS

Exploits1References2

Nuclei•added 10 hours ago•13 views

Sunshine Photo Cart <= 3.2.5 - Reflected Cross-Site Scripting

WP Sunshine Sunshine Photo Cart versions up to 3.2.5 contain a reflected cross-site scripting caused by improper input neutralization during web page generation, letting attackers execute malicious scripts in users' browsers, exploit requires attacker to craft malicious input. id: CVE-2024-43971...

7.1CVSS5AI score0.04055EPSS

Exploits0References2

Nuclei•added 10 hours ago•19 views

AVTECH DVR - Login Verification Code Bypass

AVTECH DVR products are vulnerable to verification code bypass just by entering the "login=quick" parameter to bypass verification code. id: CVE-2013-4982 info: name: AVTECH DVR - Login Verification Code Bypass author: ritikchaddha severity: low description: | AVTECH DVR products are vulnerable t...

9.8CVSS8.4AI score0.39617EPSS

Exploits6References1

Nuclei•added 10 hours ago•25 views

XiongMai uc-httpd 1.0.0 - Buffer Overflow

Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725. id: CVE-2018-10088 info: name: XiongMai uc-httpd 1.0.0 - Buffer Overflow author: 0xAkoko severity: critical description: | Buffer overflow in XiongMai uc-httpd 1.0....

10CVSS8.3AI score0.89463EPSS

Exploits8References4

Nuclei•added 10 hours ago•9 views

Astro - Information Disclosure

Astro versions v5.0.3 through v5.0.7 and Astro v4.16.17 or older with sourcemaps enabled contain a source code disclosure caused by sourcemap files being publicly accessible in the build output folder, letting unauthenticated users read server source code, exploit requires sourcemaps to be enable...

7.8CVSS5.2AI score0.12274EPSS

Exploits1References2

Nuclei•added 10 hours ago•8 views

SquirrelMail Address Add 1.4.2 - Cross-Site Scripting

SquirrelMail Address Add 1.4.2 plugin contains a cross-site scripting vulnerability. It fails to properly sanitize user-supplied input, thus allowing an attacker to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to...

4.3CVSS5.4AI score0.01747EPSS

Exploits2References2

Nuclei•added 10 hours ago•21 views

Cisco ISE - Remote Code Execution

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to...

10CVSS9.2AI score0.33482EPSS

Exploits10References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by