CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1375 matches found

Liferay Portal - Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...

6.9CVSS5AI score0.03286EPSS

Exploits0References2

Nuclei•added 10 hours ago•59 views

WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection

The wcfmajaxcontroller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. id: CVE-2021-24849 info: name: WCFM...

9.8CVSS8.6AI score0.0848EPSS

Exploits2References3

Vulnrichment•added 5 days ago•6 views

CVE-2026-53810 OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata

OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points...

8.8CVSS5.8AI score0.00419EPSS

Exploits0References2

Cvelist•added 5 days ago•30 views

CVE-2026-53810 OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata

8.8CVSS0.00419EPSS

Exploits0References2

CVE•added 5 days ago•8 views

CVE-2026-53810

OpenClaw is affected by a code execution vulnerability present before version 2026.5.18. The issue arises from marketplace runtime extension metadata that can redirect loading to unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin co...

8.8CVSS6AI score0.00419EPSS

Exploits0References2Affected Software1

EUVD•added 5 days ago•6 views

EUVD-2026-36316

8.8CVSS6AI score0.00419EPSS

Exploits0References2

OSSF Malicious Packages•added 5 days ago•8 views

Malicious code in @marketplace-shared/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 98933a5f467c2a623815ed46e5baf6838ba6e86e8055b48d4941da3bf59e5c41 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.5AI score

Exploits0References1

Snyk•added 5 days ago•2 views

Malicious Package

Overview @marketplace-shared/components is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

9.8CVSS5.4AI score

Exploits0References2

OSV•added 5 days ago•3 views

MAL-2026-5658 Malicious code in @marketplace-shared/components (npm)

5.5AI score

Exploits0References1

Positive Technologies•added 5 days ago•6 views

PT-2026-48740

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.18 Description An issue exists where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to...

8.8CVSS5.5AI score0.00419EPSS

Exploits0References5

CNNVD•added 6 days ago•1 views

Palo Alto Networks Cortex XSIAM CommvaultSecurityIQ Marketplace和Palo Alto Networks Cortex XSOAR CommvaultSecurityIQ Marketplace 安全漏洞

Palo Alto Networks Cortex XSIAM CommvaultSecurityIQ Marketplace and Palo Alto Networks Cortex XSOAR CommvaultSecurityIQ Marketplace are both products of Palo Alto Networks. The Palo Alto Networks Cortex XSIAM CommvaultSecurityIQ Marketplace is a security operations integration extension package...

9.3CVSS5.4AI score0.00315EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:13 p.m.•6 views

CVE-2026-48027

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for 18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the...

9.8CVSS5.4AI score0.00952EPSS

Exploits1References1

RedhatCVE•added 2026/06/05 7:11 p.m.•7 views

CVE-2026-8140

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.5AI score0.00118EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:10 p.m.•7 views

CVE-2026-8426

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepareremoteupgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

8.8CVSS6.3AI score0.00171EPSS

Exploits0References1

CVE•added 2026/06/04 1:22 p.m.•8 views

CVE-2019-25739

GigToDo 1.3 is affected by a persistent cross-site scripting vulnerability accessible through the create_proposal endpoint, enabling authenticated attackers to inject JavaScript/HTML in the proposal description. When stored proposals are viewed by admins or other users, the payload can execute, p...

5.4CVSS5.7AI score0.00171EPSS

Exploits0References4

Snyk•added 2026/05/29 10:54 p.m.•8 views

Malicious Package

Overview @cloudplatform-single-spa/marketplace-gigachat is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score

Exploits0References2