CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

108 matches found

Cvelist•added 2026/05/26 4:56 p.m.•31 views

CVE-2026-44729 Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/ and /file/:fileFolder/:id serve uploaded files using fileStream.piperes without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an...

8.7CVSS0.00258EPSS

Exploits1References1

Positive Technologies•added 2026/05/22 12:0 a.m.•8 views

PT-2026-42720

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element...

8.2CVSS5.8AI score0.00276EPSS

Exploits0References2

ATTACKERKB•added 2026/04/27 3:11 p.m.•0 views

CVE-2026-41467

ProjeQtor versions 7.0 through 12.4.3 contain a stored cross-site scripting vulnerability in the file upload functionality where the checkValidFileName function fails to restrict HTML and HTM file uploads. Authenticated attackers can upload HTML files containing arbitrary JavaScript through the...

5.4CVSS5.1AI score0.00181EPSS

Exploits0References5Affected Software1

RedhatCVE•added 2026/04/20 7:22 p.m.•3 views

CVE-2026-40487

Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the Content-Type header. The uploaded files are then served by nginx with a...

9CVSS5.9AI score0.00224EPSS

Exploits1References1

EUVD•added 2025/12/16 5:3 p.m.•4 views

EUVD-2023-60189

WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests...

7.1CVSS5.8AI score0.00226EPSS

Exploits1References4

Vulnrichment•added 2025/10/31 6:31 p.m.•3 views

CVE-2025-62618 ELOG file upload stored XSS

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or...

8.6CVSS6.5AI score0.00259EPSS

Exploits0References5

OSV•added 2025/10/16 6:36 p.m.•5 views

CVE-2025-62415 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

6.9CVSS7AI score0.00255EPSS

Exploits1References3

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2006-4564

Malware in sbrugna...

6.8CVSS6.4AI score0.01299EPSS

Exploits1References6

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2017-3175

Malware in sbrugna...

5.4CVSS5.5AI score0.01388EPSS

Exploits1References4