Lucene search
K

1162 matches found

Nuclei
Nuclei
added 8 hours ago21 views

Responsive Pricing Table <= 5.1.12 - Cross-Site Scripting

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

6.4CVSS6.2AI score0.00598EPSS
Exploits0References3
Nuclei
Nuclei
added 8 hours ago55 views

WordPress Easy Social Icons Plugin < 3.0.9 - Cross-Site Scripting

The Easy Social Icons plugin = 3.0.8 for WordPress echoes out the raw value of $SERVER'PHPSELF' in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path...

6.1CVSS6.4AI score0.0236EPSS
Exploits2References5
NVD
NVD
added yesterday8 views

CVE-2026-15527

A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scanprojecticons/syncicon. Such manipulation of the argument iconsfile leads to path traversal. An attack has to be approached locally. The exploit has been disclosed t...

5.3CVSS0.0014EPSS
Exploits0References6
CVE
CVE
added yesterday7 views

CVE-2026-15527

Summary: CVE-2026-15527 affects better-auth better-icons up to 1.0.5, with a path traversal vulnerability in the scan_project_icons/sync_icon component triggered by manipulating the icons_file argument. Local access is required. The exploit has been publicly disclosed and the project was informed...

5.3CVSS5.6AI score0.0014EPSS
Exploits0References6
EUVD
EUVD
added yesterday5 views

EUVD-2026-43271

A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scanprojecticons/syncicon. Such manipulation of the argument iconsfile leads to path traversal. An attack has to be approached locally. The exploit has been disclosed t...

5.3CVSS5.6AI score0.0014EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday26 views

CVE-2026-15527 better-auth better-icons scan_project_icons/sync_icon path traversal

A vulnerability has been found in better-auth better-icons up to 1.0.5. This vulnerability affects unknown code of the component scanprojecticons/syncicon. Such manipulation of the argument iconsfile leads to path traversal. An attack has to be approached locally. The exploit has been disclosed t...

5.3CVSS0.0014EPSS
Exploits0References6
CVE
CVE
added 6 days ago25 views

CVE-2026-55877

The CVE-2026-55877 entry covers an XSS vulnerability in Symfony UX icons. From 2.17.0–2.36.0 and 3.0.0–3.1.9 (before 3.2.0), the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source, allowing unsanitized local SVGs or Iconify on-demand responses to contain nest...

6.1CVSS5.6AI score0.00194EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago38 views

CVE-2026-55877 Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses

Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...

6.1CVSS0.00194EPSS
Exploits0References4
NVD
NVD
added 2026/06/24 1:16 p.m.10 views

CVE-2026-56302

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS0.00208EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 11:53 a.m.11 views

EUVD-2026-38749

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS5.9AI score0.00208EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/23 10:50 a.m.9 views

EUVD-2026-38424

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...

4.1CVSS5.9AI score0.00226EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.10 views

symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

6.1CVSS6AI score0.00194EPSS
Exploits0References3Affected Software1
Friends Of PHP
Friends Of PHP
added 2026/06/19 7:21 a.m.8 views

symfony/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

6.1CVSS6AI score0.00194EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/06/17 1:19 p.m.10 views

CVE-2024-31435

: Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6...

4.3CVSS0.00208EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.13 views

CVE-2026-6261

The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the uploadicons function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it...

8.8CVSS6.4AI score0.00612EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.10 views

CVE-2026-42564

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS5.5AI score0.00318EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 2:27 a.m.21 views

CVE-2026-4811

CVE-2026-4811 affects the WordPress plugin WPB Floating Menu & Categories (Sticky Floating Side Menu & Categories with Icons). All versions up to 1.0.8 are vulnerable to Stored Cross-Site Scripting via the Icon CSS Class category field due to insufficient input sanitization and output escaping. E...

4.9CVSS6AI score0.00311EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 12:0 a.m.16 views

Malicious code in @antv/graphin-icons (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.7 views

MAL-2026-4025 Malicious code in @antv/graphin-icons (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.8 views

@antv/gi-assets-advance (>=1.0.0 <=2.5.22), @antv/gi-assets-basic (>=1.0.0 <=2.4.40) +15 more potentially affected by unknown CVE via @antv/graphin-icons (=1.0.0)

@antv/graphin-icons NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/graphin-icons and may be impacted: - @antv/gi-assets-advance =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.0.4, =0.0.1, =0.1.0, =1.0.4, =1.0.11, =0.2.6-beta.4,...

5.5AI score
Exploits0
Rows per page
Query Builder