CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/05/07 7:37 p.m.•5 views

FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

Summary A stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other use...

5.4CVSS6.1AI score0.00029EPSS

Exploits0References2Affected Software1

Cvelist•added 2026/04/22 7:45 a.m.•23 views

CVE-2026-4279 Bread & Butter: Content Gating for Verified Leads <= 8.2.0.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The...

6.4CVSS0.00014EPSS

Exploits0References5

Snyk•added 2026/04/14 3:30 p.m.•3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in select-organization.ftl - shown on the organization selection login page - since the organization.alias value is inserted into an inline JavaScript onclick handler. A user with manage-realm or...

6.9CVSS5.9AI score0.00049EPSS

EUVD•added 2026/04/14 3:30 p.m.•2 views

EUVD-2026-22294

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

6.9CVSS6AI score0.00049EPSS

ATTACKERKB•added 2026/04/14 2:54 p.m.•5 views

CVE-2026-37980

6.9CVSS6AI score0.00049EPSS

CNNVD•added 2026/04/14 12:0 a.m.•3 views

Red Hat build of Keycloak 跨站脚本漏洞

The Red Hat build of Keycloak is a web application for single-sign-on developed by the American company Red Hat. The Red Hat build of Keycloak has a cross-site scripting vulnerability. This vulnerability arises from the organization’s choice of the login page, where organization.alias is placed i...

6.9CVSS5.8AI score0.00049EPSS

ATTACKERKB•added 2026/04/04 7:41 a.m.•1 views

CVE-2025-13368

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE•added 2026/04/04 7:41 a.m.•8 views

CVE-2025-13368

The CVE-2025-13368 entry concerns the WordPress plugin Xpro Addons — 140+ Widgets for Elementor . It is vulnerable to Stored Cross-Site Scripting via the Pricing Widget’s onClick Event setting in all versions up to and including 1.4.20, caused by insufficient input sanitization and output escapin...

Vulnrichment•added 2026/04/04 7:41 a.m.•2 views

CVE-2025-13368 Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

Positive Technologies•added 2026/04/04 12:0 a.m.•2 views

PT-2026-30306

Snyk•added 2026/04/03 3:45 a.m.•5 views

Prototype Pollution

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Prototype Pollution in the USEPROFILES function. An attacker can execute arbitrary JavaScript code in the context of the user’s browser by polluting Array.prototype with...

6.1CVSS6.5AI score

OSV•added 2026/04/03 3:45 a.m.•1 views

GHSA-CJ63-JHHR-WCXV DOMPurify USE_PROFILES prototype pollution allows event handlers

Summary When USEPROFILES is enabled, DOMPurify rebuilds ALLOWEDATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWEDATTRlcName, any Array.prototype property that is polluted also counts as an allowlisted attribute. An...

5.3CVSS5.9AI score

EUVD•added 2026/03/11 9:31 a.m.•3 views

EUVD-2026-11125

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfbleadsanitize function which omits certain...

7.2CVSS5.9AI score0.0013EPSS

Exploits0References5

RedhatCVE•added 2026/02/08 1:3 p.m.•3 views

CVE-2026-1608

The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youtube shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.6AI score0.00014EPSS

Exploits0References1

NVD•added 2026/02/07 9:16 a.m.•3 views

CVE-2026-1608

6.4CVSS0.00014EPSS

Cvelist•added 2026/02/07 8:26 a.m.•24 views

CVE-2026-1608 Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4CVSS0.00014EPSS

CVE•added 2026/02/07 8:26 a.m.•15 views

CVE-2026-1608

The CVE concerns the Video Onclick WordPress plugin with the youtube shortcode. All versions up to and including 0.4.7 are affected due to insufficient input sanitization and output escaping of user-supplied attributes, enabling Stored Cross‑Site Scripting. Exploitation requires authenticated acc...

6.4CVSS5.6AI score0.00014EPSS