CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 6 days ago•9 views

CVE-2026-44644

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the striphtml filter logic. The striphtml filter is intended to remove HTML tags from a string before rendering, and is widely used as an XS...

6.1CVSS0.00355EPSS

Cvelist•added 6 days ago•13 views

CVE-2026-44644 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

6.1CVSS0.00355EPSS

CVE•added 6 days ago•28 views

CVE-2026-44644

CVE-2026-44644 affects liquidjs versions 10.25.7 and earlier. The strip_html filter uses a regex where the catch‑all branch () does not match line terminators, allowing a newline inside a tag (e.g., ) to bypass sanitization. If applications render attacker-controlled input via {{ x | strip_html }...

6.1CVSS5.3AI score0.00355EPSS

Github Security Blog•added last week•6 views

yt-dlp: Arbitrary code execution via manifest downloads with aria2c

Summary If aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code...

8.3CVSS6.2AI score0.00052EPSS

Exploits0References5Affected Software1

Cvelist•added 2026/06/13 2:34 a.m.•23 views

CVE-2026-54231 Abrt: unsanitized systemd journal content written to dump directory files enables content injection

A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A...

5.5CVSS0.00122EPSS

EUVD•added 2026/06/13 2:34 a.m.•11 views

EUVD-2026-36640

5.5CVSS5.3AI score0.00122EPSS

Vulnrichment•added 2026/06/13 2:34 a.m.•6 views

CVE-2026-54231 Abrt: unsanitized systemd journal content written to dump directory files enables content injection

5.5CVSS5.3AI score0.00122EPSS

Positive Technologies•added 2026/06/13 12:0 a.m.•10 views

PT-2026-49076

Name of the Vulnerable Software and Affected Versions libreport affected versions not specified Description A content injection issue exists in the ABRT post-create event handler scripts within libreport. The event script retrieves log entries from the systemd journal for crashed processes and...

5.5CVSS5.3AI score0.00122EPSS

Exploits0References5

OSV•added 2026/06/12 12:28 p.m.•6 views

OESA-2026-2679 python-webob security update

WebOb provides wrappers around the WSGI request environment, and an object to help create WSGI responses. The objects map much of the specified behavior of HTTP, including header parsing and accessors for other standard parts of the environment. Security Fixes: Impact When WebOb normalizes the HT...

6.1CVSS5.3AI score0.00036EPSS

OSV•added 2026/06/12 8:43 a.m.•4 views

BIT-JENKINS-2026-53437

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

4.3CVSS5.4AI score0.00272EPSS

NVD•added 2026/06/11 1:16 p.m.•8 views

CVE-2026-49214

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to...

5.3CVSS0.0031EPSS

Exploits0References1

NVD•added 2026/06/10 7:16 p.m.•20 views

CVE-2026-50637

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions allow mutiple metrics, separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the name...

8.2CVSS0.00308EPSS

Exploits0References6

NVD•added 2026/06/10 7:16 p.m.•14 views

CVE-2026-50638

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions such as dogstatsd allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends...

9.1CVSS0.00327EPSS

Cvelist•added 2026/06/10 6:32 p.m.•28 views

CVE-2026-50639 Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions such as dogstatsd allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends...

0.00252EPSS

EUVD•added 2026/06/10 6:32 p.m.•8 views

EUVD-2026-36106

Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol and extensions such as dogstatsd allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends...

9.1CVSS5.4AI score0.00332EPSS

Vulnrichment•added 2026/06/10 6:32 p.m.•11 views

CVE-2026-50639 Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections

5.8AI score0.00252EPSS