CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added last week•4 views

CVE-2026-44698

Exploits0References2Affected Software3

Vulnrichment•added last week•5 views

CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

CVE•added last week•24 views

CVE-2026-44698

CVE-2026-44698 affects the Home Assistant Companion apps for Android and iOS, where a JavaScript bridge exposed to in-app WebView could be reached by all frames. The root cause is the bridge exposure along with unsanitized interpolation of the JavaScript callback identifier, allowing a cross-orig...

EUVD•added last week•5 views

EUVD-2026-33317

Cvelist•added last week•26 views

CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection

8.3CVSS0.0002EPSS

Nuclei•added 2026/05/28 5:39 a.m.•16 views

Thinfinity Iframe Injection

A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter. id: CVE-2021-45092 info: name: Thinfinity Iframe Injection author: danielmofer severity: critical description: A vulnerability exist...

9.8CVSS6.7AI score0.81835EPSS

Exploits7References5

Snyk•added 2026/05/27 9:41 a.m.•6 views

Cross-site Scripting (XSS)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Cross-site Scripting XSS via HtmlSanitizer due to improper sanitization of URL attributes on object, applet, iframe, img and meta refresh. By...

6.1CVSS5.6AI score

Exploits0References2

NVD•added 2026/05/27 7:16 a.m.•7 views

CVE-2026-8877

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

NVD•added 2026/05/27 7:16 a.m.•7 views

CVE-2026-8891

The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'width' and 'height' in the...

6.4CVSS0.00034EPSS

NVD•added 2026/05/27 7:16 a.m.•9 views

CVE-2026-8837

The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

NVD•added 2026/05/27 7:16 a.m.•8 views

CVE-2026-8844

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

6.4CVSS0.00034EPSS

NVD•added 2026/05/27 7:16 a.m.•6 views

CVE-2026-8698

The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the asgetcoinshortcode function, which renders the 'width' and 'height' shortcode attribute directly into the style attribut...

ATTACKERKB•added 2026/05/27 5:31 a.m.•6 views

CVE-2026-8844

6AI score0.00034EPSS

Exploits0References5

EUVD•added 2026/05/27 5:31 a.m.•6 views

EUVD-2026-32089

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

6.4CVSS6AI score0.00032EPSS

CVE•added 2026/05/27 5:31 a.m.•10 views

CVE-2026-8847

The CVE-2026-8847 entry concerns the WordPress Dideo plugin (version 1.0) with a Stored XSS flaw in the dideo shortcode. The root cause is insufficient input sanitization and output escaping on the id attribute, which is inserted into an iframe src without escaping in the dideo() handler. Attacke...

6.4CVSS6AI score0.00032EPSS

Cvelist•added 2026/05/27 5:31 a.m.•25 views

CVE-2026-8844 Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00034EPSS

ATTACKERKB•added 2026/05/27 5:31 a.m.•7 views

CVE-2026-8847

6AI score0.00032EPSS

ATTACKERKB•added 2026/05/27 5:31 a.m.•5 views

CVE-2026-8845

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...

6AI score0.00032EPSS

Cvelist•added 2026/05/27 5:31 a.m.•25 views

CVE-2026-8845 Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes