CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/23 6:30 p.m.•6 views

CVE-2018-25349

6.1CVSS5.7AI score0.0003EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/23 6:30 p.m.•5 views

CVE-2018-25349 userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

6.1CVSS5.7AI score0.0003EPSS

CNNVD•added 2026/05/23 12:0 a.m.•6 views

UserSpice 跨站脚本漏洞

UserSpice is an open-source PHP framework for user management and identity authentication developed by UserSpice. Version 4.3.24 of userSpice contains a cross-site scripting vulnerability. This vulnerability stems from the injection of malicious scripts through the X-Forwarded-For HTTP header,...

6.1CVSS5.8AI score0.0003EPSS

Cvelist•added 2026/05/11 2:43 p.m.•28 views

CVE-2026-34088 RecentChanges entries expose suppressed content via generated log page html

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from before 1.43.7, 1.44.4, 1.45.2...

5.3CVSS0.00049EPSS

Exploits0References1

CVE•added 2026/05/11 2:43 p.m.•4 views

CVE-2026-34088

CVE-2026-34088 (MediaWiki) is a disclosed exposure vulnerability affecting MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2. The connected sources confirm a broad vulnerability family in MediaWiki leading to information disclosure to unauthorized actors. Debian’s advisory DSA-6208-1 notes mul...

7.5CVSS5.8AI score0.00049EPSS

Exploits0References1Affected Software1

AstraLinux•added 2026/05/03 11:59 p.m.•2 views

Astra Linux - уязвимость в linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Update log-pagemask,bits if log-pagesize changes. If an NTFS file system is mounted to another system with a different PAGESIZE than the original system, log-pagesize will change in logreplay, but log-pagemask,bits will...

5.5CVSS6.2AI score0.00013EPSS

RedhatCVE•added 2026/03/31 10:58 p.m.•1 views

CVE-2026-5148

A weakness has been identified in YunaiV yudao-cloud up to 2026.01. This vulnerability affects unknown code of the file /admin-api/system/mail-log/page. This manipulation of the argument toMail causes sql injection. The attack can be initiated remotely. The exploit has been made available to the...

Cvelist•added 2026/03/30 7:45 p.m.•18 views

Exploits0References1

CVE-2026-5148 YunaiV yudao-cloud page sql injection

5.8CVSS0.00013EPSS

Vulnrichment•added 2026/03/30 7:45 p.m.•1 views

CVE-2026-5148 YunaiV yudao-cloud page sql injection

ATTACKERKB•added 2026/03/30 7:45 p.m.•0 views

CVE-2026-5148

Exploits0References5Affected Software1

Positive Technologies•added 2026/03/30 12:0 a.m.•4 views

PT-2026-29111

CNNVD•added 2026/03/30 12:0 a.m.•3 views

Exploits0References7

yudao-cloud SQL注入漏洞

Yudao-Cloud is a backend management system developed by YunaiV as an individual developer. Versions of Yudao-Cloud prior to 2026.01 contained a SQL injection vulnerability. This vulnerability stemmed from incorrect handling of parameters in files such as admin-api/system/mail-log/page, where the...

5.8CVSS5.9AI score0.00013EPSS

ATTACKERKB•added 2026/03/26 3:37 a.m.•1 views

CVE-2026-4329

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield when capturing bot data which...

7.2CVSS6AI score0.00237EPSS

Exploits0References13

NVD•added 2026/03/21 4:16 a.m.•1 views

CVE-2025-13910

The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the wwaauth AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it...

6.1CVSS0.00118EPSS

Exploits0References4

Positive Technologies•added 2026/03/20 12:0 a.m.•1 views

PT-2026-26718

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize ig data function which only sanitizes array values but not array keys...

7.2CVSS6AI score0.00213EPSS

Exploits0References19

Cvelist•added 2026/02/20 4:48 p.m.•18 views

CVE-2026-27503 SVXportal <= 2.5 admin/log.php Search Reflected XSS

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute,...

6.1CVSS0.00039EPSS

NVD•added 2026/02/19 7:17 a.m.•2 views

CVE-2026-2502

The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without outp...

6.1CVSS0.00126EPSS