CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 4 days ago•8 views

EUVD-2026-39439

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

6.1CVSS5.8AI score0.00149EPSS

Vulnrichment•added 4 days ago•5 views

CVE-2026-48942 Joomla Extension - getk2.org - Stored-XSS in K2 extension for Joomla < 2.26

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

5.8AI score0.00149EPSS

ATTACKERKB•added 4 days ago•3 views

CVE-2026-48942

K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...

6.1CVSS5.8AI score0.00149EPSS

Exploits0References2Affected Software1

CVE•added 4 days ago•7 views

CVE-2026-48942

Affected software: K2 extension for Joomla (getk2.com), version constraint listed as K2 ≤ 2.26. Vulnerability: two templates render the database column __#k2_users.image directly into HTML src attributes without HTML escaping, revealing a stored-XSS risk. Root cause: lack of escaping when injecti...

6.1CVSS5.8AI score0.00149EPSS

Exploits0References1Affected Software1

Cvelist•added 4 days ago•30 views

CVE-2026-57535

Content injected to PDF rendering contexts could, in many places, include HTML content including tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server a...

2.1CVSS0.00308EPSS

CVE•added 5 days ago•8 views

CVE-2026-9620

CVE-2026-9620 concerns the WordPress plugin WP Latest Posts (≤ 5.0.11). It enables a Stored Cross-Site Scripting (XSS) via crafted image src attributes in post content. The root cause is insufficient output escaping in the plugin’s field() and loop() functions, which extract the raw src from img ...

6.4CVSS6AI score0.00207EPSS

Exploits0References4

Cvelist•added 5 days ago•33 views

CVE-2026-9620 WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute

The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field and loop functions, which extract the raw src attribute value...

6.4CVSS0.00207EPSS

Exploits0References4

RedhatCVE•added 2026/06/05 7:28 p.m.•8 views

CVE-2026-4852

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS5.7AI score0.00155EPSS

Cvelist•added 2026/05/12 7:48 a.m.•38 views

CVE-2026-2300 BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block

The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the filterimages function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing pregreplace that does not properly handle HTML attribute boundaries when replacing sr...

6.4CVSS0.00193EPSS

Exploits0References5

EUVD•added 2026/04/20 9:31 p.m.•5 views

EUVD-2026-23974

NVD•added 2026/04/20 9:16 p.m.•8 views

Exploits0References3

CVE-2026-4852

6.4CVSS0.00155EPSS

CVE•added 2026/04/20 8:26 p.m.•8 views

CVE-2026-4852

The CVE-2026-4852 entry concerns the Image Source Control Lite – Show Image Credits and Captions WordPress plugin. Affected component: the Image Source attachment field. Root cause: insufficient input sanitization and output escaping. Impact: Stored Cross-Site Scripting that can be triggered when...

Vulnrichment•added 2026/04/20 8:26 p.m.•2 views

CVE-2026-4852 Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field

ATTACKERKB•added 2026/04/20 8:26 p.m.•3 views

CVE-2026-4852

Cvelist•added 2026/04/20 8:26 p.m.•28 views

Exploits0References3

CVE-2026-4852 Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field

6.4CVSS0.00155EPSS

Patchstack•added 2026/04/20 7:57 a.m.•4 views

WordPress Image Source Control Lite – Show Image Credits and Captions plugin <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Image Source Control versions = 3.9.1...

6.4CVSS5.8AI score0.00155EPSS

Exploits0References1Affected Software1

CNNVD•added 2026/04/20 12:0 a.m.•6 views

WordPress plugin Image Source Control Lite – Show Image Credits and Captions 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Positive Technologies•added 2026/04/20 12:0 a.m.•7 views

PT-2026-33849