CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/03/31 9:45 p.m.•5 views

EUVD-2026-17676

9.6CVSS5.9AI score0.00499EPSS

CVE•added 2026/03/31 9:45 p.m.•5 views

CVE-2026-34449

CVE-2026-34449 affects SiYuan Desktop prior to 3.6.2. The root cause is a permissive CORS/Private Network policy in the local API (Access-Control-Allow-Origin: * and Access-Control-Allow-Private-Network: true) coupled with an endpoint that can inject JavaScript snippets. An attacker-controlled pa...

9.6CVSS5.9AI score0.00499EPSS

Exploits1References3Affected Software1

OSV•added 2026/03/31 9:45 p.m.•3 views

CVE-2026-34449 SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection

9.6CVSS5.9AI score0.00499EPSS

Exploits1References5

NVD•added 2026/03/31 9:16 p.m.•2 views

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...

4.8CVSS0.00226EPSS

CVE•added 2026/03/31 8:40 p.m.•8 views

CVE-2026-34396

WWBN AVideo (versions 26.0 and earlier) has a stored XSS vulnerability in the admin plugin configuration handling. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into HTML form fields (textarea contents, option elements, and input attributes)...

6.1CVSS6AI score0.00217EPSS

Exploits1References1Affected Software1

OSV•added 2026/03/31 8:40 p.m.•3 views

CVE-2026-34396 AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars or any other output encoding. The jsonToFormElements function in admin/functions.php directly interpolates...

6.1CVSS6AI score0.00217EPSS

CVE•added 2026/03/31 8:17 p.m.•7 views

CVE-2026-3468

SonicWall Email Security appliance is affected by CVE-2026-3468—a stored XSS flaw caused by improper neutralization of user-supplied input during web page generation. The vulnerability requires a remote authenticated attacker with admin privileges and could allow arbitrary JavaScript execution in...

4.8CVSS6AI score0.00226EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/03/31 8:17 p.m.•19 views

CVE-2026-3468

0.00226EPSS

NVD•added 2026/03/31 6:16 p.m.•2 views

CVE-2026-32243

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted...

6.1CVSS0.00169EPSS

RedhatCVE•added 2026/03/31 5:0 p.m.•1 views

CVE-2026-27508

Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browse...

5.4CVSS6AI score0.00155EPSS

NVD•added 2026/03/31 4:16 p.m.•3 views

CVE-2026-34240

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

7.5CVSS0.0013EPSS

NVD•added 2026/03/31 4:16 p.m.•4 views

CVE-2026-34231

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting XSS vulnerability exists in the % attrs % template tag of the slippers Django package. When a context variable containing untrusted data is passed to % attrs %, the value is interpolated into an HTML...

6.1CVSS0.00227EPSS

NVD•added 2026/03/31 4:16 p.m.•1 views

CVE-2026-34221

MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent...

9.1CVSS0.00377EPSS

RedHat Linux•added 2026/03/31 4:12 p.m.•2 views

axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig

A denial of service flaw has been discovered in the Axios npm package. the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via...

7.5CVSS6.7AI score0.01242EPSS

Exploits1References7

EUVD•added 2026/03/31 3:44 p.m.•4 views

EUVD-2026-17498

7.5CVSS5.8AI score0.0013EPSS

EUVD•added 2026/03/31 3:31 p.m.•1 views

EUVD-2026-17429

Stored cross-site scripting XSS in Checkmk 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature...

8.6CVSS6AI score0.00144EPSS

NVD•added 2026/03/31 3:16 p.m.•2 views

CVE-2026-20915

Stored cross-site scripting XSS in Checkmk version 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar...

8.5CVSS0.00147EPSS