CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/06/12 9:0 p.m.•7 views

GHSA-W22M-HVVM-XMWX Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization

Summary A potential Cross-Site Scripting XSS vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when...

5.4CVSS5.9AI score0.00033EPSS

Vulnrichment•added 2026/06/12 5:34 p.m.•16 views

CVE-2026-44172 MariaDB: mysql_real_escape_string() incorrectly handled big5

6.9CVSS5.5AI score0.00502EPSS

CNNVD•added 2026/06/10 12:0 a.m.•9 views

VMware Spring Data Relational 安全漏洞

VMware Spring Data Relational is a relational database access framework developed by VMware, Inc. There is a security vulnerability in VMware Spring Data Relational, which stems from the improper escaping of external control inputs when using StringMatcher in Query By Example. Attackers can use...

4.8CVSS5.3AI score0.00227EPSS

Vulnrichment•added 2026/06/09 11:47 p.m.•7 views

CVE-2026-41697 Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher STARTING, ENDING, or CONTAINING in Query By Example QBE. An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data...

4.8CVSS5.5AI score0.00227EPSS

Positive Technologies•added 2026/06/09 12:0 a.m.•10 views

PT-2026-48313

4.8CVSS5.5AI score0.00227EPSS

Snyk•added 2026/06/08 12:0 a.m.•6 views

Cross-site Scripting (XSS)

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper...

7.1CVSS5.5AI score0.00161EPSS

RedhatCVE•added 2026/06/05 7:18 p.m.•5 views

CVE-2026-6177

The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTFDisplayElements::getposttext function when rendering cached tweet text. The plugin's ctfgetmoreposts AJAX action ...

7.2CVSS5.7AI score0.00315EPSS

RedhatCVE•added 2026/06/05 7:13 p.m.•5 views

CVE-2026-40873

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

8.9CVSS5.6AI score0.00325EPSS

Cvelist•added 2026/05/29 5:49 p.m.•32 views

CVE-2026-44651 SillyTavern: Reflected XSS vulnerability in the CORS proxy middleware

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetchurl throws, the code sends: res.status500.send'Error occurred while trying to proxy to:...

6.9CVSS0.00323EPSS

EUVD•added 2026/05/27 5:31 a.m.•10 views

EUVD-2026-32078

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...

6.4CVSS6AI score0.00187EPSS

OSV•added 2026/05/19 7:42 p.m.•3 views

GHSA-M9P2-FXP5-V3FP Diesel: Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`

Diesel allows users to configure various options for PostgreSQL's COPY FROM and COPY TO statements. These configurations are partially provided as strings or characters. Diesel did not check if any these user-provided options contain a quote character ', which can lead to the injection of...

6.9CVSS5.8AI score

CNNVD•added 2026/05/19 12:0 a.m.•8 views

WordPress plugin Contest Gallery SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

7.5CVSS5.9AI score0.00391EPSS

Veracode•added 2026/05/16 5:27 a.m.•6 views

Cross-site Scripting (XSS)

FileBrowser Quantum is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled share metadata fields when rendered in HTML using text/template, which allows an attacker to inject and execute malicious scripts when users visit a shared URL...

8.9CVSS7.3AI score0.00347EPSS

Exploits1References4Affected Software1

CNNVD•added 2026/05/12 12:0 a.m.•6 views

WordPress plugin AI Chatbot & Workflow Automation by AIWU SQL注入漏洞

7.5CVSS5.9AI score0.00413EPSS

Snyk•added 2026/05/11 3:56 p.m.•6 views

Cross-site Scripting (XSS)

Overview next is a react framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the beforeInteractive process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious...

6.1CVSS5.8AI score0.00205EPSS