CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/05/13 12:0 a.m.•10 views

WordPress plugin WOOD Products Filter for WooCommerce 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

5.5CVSS5.6AI score0.00256EPSS

Drupal•added 2026/05/13 12:0 a.m.•14 views

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no...

9.8CVSS5.8AI score0.00369EPSS

Positive Technologies•added 2026/05/13 12:0 a.m.•12 views

PT-2026-40804

CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting XSS vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious JavaScript payloads into multiple fields during the creation or modification of a product. These...

4.8CVSS5.8AI score0.00173EPSS

Positive Technologies•added 2026/05/13 12:0 a.m.•10 views

PT-2026-40842

9.1CVSS5.8AI score0.00497EPSS

NVD•added 2026/05/12 11:16 p.m.•13 views

CVE-2025-15463

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This make...

6.5CVSS0.00381EPSS

Vulnrichment•added 2026/05/12 10:24 p.m.•8 views

CVE-2025-15463 Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution

Cvelist•added 2026/05/12 10:24 p.m.•36 views

CVE-2025-15463 Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution

6.5CVSS0.00381EPSS

ATTACKERKB•added 2026/05/12 10:24 p.m.•8 views

CVE-2025-15463

CVE•added 2026/05/12 10:24 p.m.•18 views

Exploits0References4

CVE-2025-15463

The CVE-2025-15463 entry concerns the Advanced Custom Fields: Extended WordPress plugin, affected versions up to 0.9.2.3. The vulnerability arises from code that executes do_shortcode without proper value validation, allowing unauthenticated attackers to execute arbitrary shortcodes. No public ex...

EUVD•added 2026/05/12 10:24 p.m.•8 views

EUVD-2025-209809

EUVD•added 2026/05/12 9:31 p.m.•9 views

EUVD-2026-29781

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may ...

8.7CVSS5.8AI score0.00402EPSS

EUVD•added 2026/05/12 9:31 p.m.•15 views

EUVD-2026-29764

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

4.8CVSS5.8AI score0.00368EPSS

Snyk•added 2026/05/12 9:20 p.m.•8 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the vulnerable form fields. An attacker can execute arbitrary JavaScript in the context of another user's browser by injecting malicious script...

4.8CVSS5.8AI score0.00368EPSS

Snyk•added 2026/05/12 9:20 p.m.•9 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious scripts, potentially...

8.7CVSS5.8AI score0.00402EPSS

Snyk•added 2026/05/12 9:20 p.m.•8 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields process. An attacker can execute arbitrary JavaScript in the context of another user's browser session by injecting malicious...

4.8CVSS5.8AI score0.00274EPSS

NVD•added 2026/05/12 8:16 p.m.•7 views

CVE-2026-44217

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into t...

8.7CVSS0.0041EPSS

NVD•added 2026/05/12 8:16 p.m.•5 views

CVE-2026-34658

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

4.8CVSS0.00274EPSS

NVD•added 2026/05/12 8:16 p.m.•7 views

CVE-2026-34655

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

4.8CVSS0.00368EPSS