Lucene search
K

24582 matches found

Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.12 views

PT-2026-53051

Name of the Vulnerable Software and Affected Versions Dokan: AI Powered WooCommerce Multivendor Marketplace Solution versions prior to 5.0.5 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with custom-level access ...

6.4CVSS5.8AI score0.0022EPSS
Exploits0References14
Nuclei
Nuclei
added 2026/06/25 5:45 a.m.34 views

Grafana Post-Auth DuckDB - SQL Injection To File Read

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or highe...

9.9CVSS6.6AI score0.97781EPSS
Exploits10References3
CVE
CVE
added 2026/06/25 5:3 a.m.38 views

CVE-2026-10086

GitLab: CVE-2026-10086 affects GitLab EE versions 16.4–before 18.11.6, 19.0–before 19.0.3, and 19.1–before 19.1.1. Affected condition allowed an authenticated user with developer permissions to execute arbitrary client-side code in another user’s session due to improper sanitization. Impact per C...

8.7CVSS6.2AI score0.00231EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/06/25 5:3 a.m.5 views

EUVD-2026-39181

GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of...

8.7CVSS6.2AI score0.00231EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/25 1:56 a.m.6 views

CVE-2026-8658

OS Command Injection vulnerability in Rapid7 InsightConnect Tcpdump Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the options or filter parameters due to insufficient input sanitization in shell command construction...

6CVSS6.2AI score0.00833EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 1:12 a.m.13 views

CVE-2026-8665

CVE-2026-8665 affects the Rapid7 InsightConnect Translate Plugin (Linux) via the TR action. The root cause is insufficient input sanitization in shell command construction within the TR action, allowing an attacker to supply text or expression parameters that leads to OS command execution. Docume...

9.8CVSS6.3AI score0.00675EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/25 1:12 a.m.30 views

CVE-2026-8665 OS Command Injection in Rapid7 InsightConnect Translate Plugin

OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to insufficient input sanitization in shell command construction...

7.7CVSS0.00675EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 1:12 a.m.9 views

EUVD-2026-39158

OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to insufficient input sanitization in shell command construction...

7.7CVSS6.3AI score0.00675EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/25 12:0 a.m.7 views

GitLab 16.4 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-10086)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticate...

8.7CVSS6.2AI score0.00231EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 11:56 p.m.31 views

CVE-2026-8663 OS Command Injection in Rapid7 InsightConnect RPM Plugin

OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction...

6CVSS0.00833EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 11:56 p.m.15 views

CVE-2026-8663

CVE-2026-8663 describes an OS Command Injection in the Rapid7 InsightConnect RPM Plugin for Linux. The vulnerability arises from insufficient input sanitization during shell command construction, allowing an authenticated attacker to cause arbitrary OS command execution via the repo, key, or name...

8.8CVSS6.2AI score0.00833EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/24 5:33 a.m.7 views

EUVD-2026-38683

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23qr' shortcode in all versions up to, and including, 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notab...

6.4CVSS6AI score0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.34 views

CVE-2026-8865 Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23qr' shortcode in all versions up to, and including, 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes notab...

6.4CVSS0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.31 views

CVE-2026-8628 EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

6.1CVSS0.00205EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 2:29 a.m.7 views

EUVD-2026-38643

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customattributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6AI score0.00256EPSS
Exploits0References19
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.15 views

PT-2026-51682

Name of the Vulnerable Software and Affected Versions Image Sizes on Demand versions prior to 1.4 Description Insufficient input sanitization and output escaping in the PHP SELF server variable allow unauthenticated attackers to inject arbitrary web scripts. These scripts execute if a user is...

6.1CVSS6.1AI score0.00168EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.4 views

PT-2026-52175

Name of the Vulnerable Software and Affected Versions Drupal Geolocation Field versions 0.0.0 through 3.15.0 Description An SQL injection issue exists in the Drupal Geolocation Field module, which provides functionality to store coordinates and supports views and other modules. The problem occurs...

6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.9 views

PT-2026-51665

Name of the Vulnerable Software and Affected Versions Cincopa video and media plug-in versions prior to 1.164 Description The Cincopa video and media plug-in for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the plugin processes the cincopa shortcode via a comment te...

7.2CVSS6AI score0.00297EPSS
Exploits0References10
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.3 views

Automated Logic WebCTRL Premium Server Improper Neutralization of Input During Web Page Generation (CVE-2024-8528)

CWE-79 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists in Automated Logic WebCTRL and Carrier i-Vu Building Automation System products. User input is not properly sanitized, allowing injection of malicious scripts into web pages viewed by...

5.4CVSS5.8AI score0.00106EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.7 views

Automated Logic WebCTRL Premium Server Improper Neutralization of Input During Web Page Generation (CVE-2024-8528)

CWE-79 Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists in Automated Logic WebCTRL and Carrier i-Vu Building Automation System products. User input is not properly sanitized, allowing injection of malicious scripts into web pages viewed by...

5.4CVSS5.8AI score0.00106EPSS
Exploits0References3
Rows per page
Query Builder