CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/02/11 7:30 a.m.•5 views

CVE-2026-2099

AgentFlow developed by Flowring has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load...

5.4CVSS5.5AI score0.00165EPSS

RedhatCVE•added 2026/02/11 1:33 a.m.•6 views

CVE-2026-25528

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...

5.8CVSS5.9AI score0.00282EPSS

NVD•added 2026/02/11 1:15 a.m.•11 views

CVE-2026-1571

User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended...

6.1CVSS0.00285EPSS

OSV•added 2026/02/11 1:15 a.m.•4 views

CVE-2026-1571

6.1CVSS6AI score0.00285EPSS

Vulnrichment•added 2026/02/11 12:39 a.m.•6 views

CVE-2026-1571 Reflected XSS Vulnerability on TP-Link Archer C60

5.3CVSS5.9AI score0.00285EPSS

CNNVD•added 2026/02/11 12:0 a.m.•5 views

thesystem 跨站脚本漏洞

thesystem is a password management project developed by Kostas Mitroglou. Version 1.0 of thesystem has a cross-site scripting vulnerability. This vulnerability stems from stored-xss scripts, which can allow malicious scripts to be injected through multiple server data input fields, enabling...

6.4CVSS5.8AI score0.00204EPSS

Exploits1References3

Positive Technologies•added 2026/02/11 12:0 a.m.•5 views

PT-2026-7610

GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the event title parameter. Attackers can exploit the CreateEvent.php endpoint by sending crafted POST requests with XSS payloads to execute arbitrary...

6.4CVSS5.5AI score0.00184EPSS

Exploits0References4

CNNVD•added 2026/02/11 12:0 a.m.•40 views

Statamic 跨站脚本漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows for storing all content, templates, assets, and settings in files rather than in a database. Versions of Statamic 6.0.0 to 6.2.3 had a cross-site scripting vulnerability, which originated from stored cross-site...

8.7CVSS5.7AI score0.00293EPSS

CNNVD•added 2026/02/11 12:0 a.m.•4 views

kimai 跨站脚本漏洞

Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developer. Kimai 2 has a cross-site scripting vulnerability, which stems from stored-xss attacks. This vulnerability could allow the injection of malicious SVG-based scripts into schedule descriptions,...

6.4CVSS5.9AI score0.00261EPSS

Exploits1References4

CNNVD•added 2026/02/11 12:0 a.m.•5 views

GOautodial 跨站脚本漏洞

GOautodial is an open-source next-generation omnichannel contact center suite developed by GOautodial. Version 4.0 of GOautodial contains a cross-site scripting vulnerability. This vulnerability stems from stored-xss scripts, which may allow malicious scripts to be executed through event title...

6.4CVSS5.7AI score0.00184EPSS

Positive Technologies•added 2026/02/11 12:0 a.m.•9 views

PT-2026-7478

5.3CVSS5.9AI score0.00285EPSS

Positive Technologies•added 2026/02/11 12:0 a.m.•8 views

PT-2026-7507

An attacker with access to the web application ZeusWeb of the provider Microcom in this case, registration is required who has the vulnerable software could introduce arbitrary JavaScript by injecting an XSS payload into the ‘Name’ and “Surname” parameters within the ‘My Account’ section at the...

4.8CVSS5.7AI score0.00227EPSS

Exploits0References5

Cvelist•added 2026/02/10 8:38 p.m.•26 views

CVE-2025-12699 ZOLL ePCR IOS Mobile Application Insertion of Sensitive Information into Externally-Accessible File or Directory

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields run number, incident, call sign, notes are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept POC, injected scripts return loca...

6.7CVSS0.00172EPSS

ATTACKERKB•added 2026/02/10 8:38 p.m.•7 views

CVE-2025-12699

6.7CVSS5.7AI score0.00172EPSS

Exploits0References4Affected Software1

NVD•added 2026/02/10 2:16 p.m.•5 views

CVE-2025-6967

Execution After Redirect EAR vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking aka JavaScript Hijacking, Authentication Bypass. This issue affects CMS: through 10022026. NOTE: The vendor was contacted early about this disclosure bu...

8.7CVSS0.00449EPSS

RedhatCVE•added 2026/02/10 1:23 p.m.•5 views

CVE-2026-25905

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

5.8CVSS5.6AI score0.00177EPSS

Cvelist•added 2026/02/10 9:58 a.m.•23 views

CVE-2025-40587

A vulnerability has been identified in Polarion V2404 All versions V2404.5, Polarion V2410 All versions V2410.2. The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a stored cross-site scripting...

7.6CVSS0.00264EPSS

NVD•added 2026/02/10 7:16 a.m.•8 views

CVE-2026-2098

AgentFlow developed by Flowring has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks...

6.1CVSS0.00201EPSS

NVD•added 2026/02/10 7:16 a.m.•6 views

CVE-2026-2099

5.4CVSS0.00165EPSS