CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 10 hours ago•3 views

EUVD-2026-34085

2.1CVSS5.8AI score

OSV•added 2026/05/26 9:16 p.m.•1 views

UBUNTU-CVE-2026-44898

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, rendertocul builds a table-of-contents tree from a list of level, id, text tuples. Both the id value used as href="" and the text value used as the visible link label are inserted into tags via a plain Python format...

6.1CVSS5.9AI score0.00031EPSS

Exploits1References4

UbuntuCve•added 2026/05/22 11:16 p.m.•5 views

CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state...

5.3CVSS5.6AI score0.00059EPSS

Exploits0References4

EUVD•added 2026/05/22 10:34 p.m.•5 views

EUVD-2026-31520

5.3CVSS5.6AI score0.00059EPSS

ATTACKERKB•added 2026/05/22 10:34 p.m.•7 views

CVE-2026-41149

5.3CVSS5.8AI score0.00059EPSS

Exploits0References4Affected Software1

EUVD•added 2026/05/22 7:32 p.m.•5 views

EUVD-2026-31494

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page retrieved from the request's Referer header allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode...

6.9CVSS5.3AI score0.00059EPSS

CNNVD•added 2026/05/22 12:0 a.m.•3 views

Mermaid 安全漏洞

Mermaid is an open-source application developed by mermaid-js. It uses text and code to create charts and visualizations. Mermaid versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, have security vulnerabilities. These vulnerabilities stem from HTML injection under default...

5.3CVSS5.9AI score0.00059EPSS

Github Security Blog•added 2026/05/21 8:43 p.m.•8 views

Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog

Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. Patches This issue has been patched in 17.4.0...

5.7AI score

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/20 6:51 p.m.•3 views

CVE-2026-26028 CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS

CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of , , and elements, leaving all other...

6.1CVSS5.9AI score0.00031EPSS

NVD•added 2026/05/19 10:16 p.m.•10 views

CVE-2026-5090

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The htmlfilter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in would not be properly escaped. An attacke...

6.1CVSS0.0001EPSS

NVD•added 2026/05/19 2:16 p.m.•6 views

CVE-2025-40903

A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected...

5.9CVSS0.00029EPSS

NVD•added 2026/05/19 2:16 p.m.•5 views

CVE-2025-40902

A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing...

5.9CVSS0.00029EPSS

ATTACKERKB•added 2026/05/19 1:23 p.m.•2 views

CVE-2025-40904

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remo...

6.5CVSS5.8AI score0.0003EPSS

Positive Technologies•added 2026/05/19 12:0 a.m.•5 views

PT-2026-41891

6.5CVSS5.8AI score0.0003EPSS

Positive Technologies•added 2026/05/19 12:0 a.m.•4 views

PT-2026-41888

A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected...

5.9CVSS5.8AI score0.00029EPSS

EUVD•added 2026/05/14 6:13 p.m.•2 views

EUVD-2026-30356

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00015EPSS