CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 6 days ago•26 views

CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

4.4CVSS0.00203EPSS

CVE•added 6 days ago•22 views

CVE-2026-11358

The CVE concerns the Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress (versions up to 3.0.6). The vulnerability is a Stored Cross-Site Scripting flaw arising from insufficient input sanitization and output escaping in admin settings. It a...

4.4CVSS5.5AI score0.00203EPSS

EUVD•added 6 days ago•10 views

EUVD-2026-37850

4.4CVSS5.4AI score0.00203EPSS

Patchstack•added last week•14 views

WordPress Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Meher Sudhakar Abbireddi in WordPress Plugin Orbit Fox by ThemeIsle versions = 3.0.6...

4.4CVSS5.2AI score0.00203EPSS

Exploits0References1Affected Software1

Github Security Blog•added 2026/06/12 9:0 p.m.•10 views

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

Summary A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets nodekey, orbitnodekey through a cursor-based binary search oracle. The endpoint accepted a user-supplied orderkey parameter that w...

5.4AI score0.00032EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/06/12 12:0 a.m.•12 views

PT-2026-49056

Summary A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets node key, orbit node key through a cursor-based binary search oracle. The endpoint accepted a user-supplied order key parameter th...

6.5CVSS5.4AI score0.00032EPSS

Exploits0References3

Packet Storm News•added 2026/06/03 12:0 a.m.•6 views

CLIF: Cross-Layer LEO-ISL Fingerprinting for Physical and Network Attack Detection in Dense LEO Constellations

Low-Earth Orbit LEO mega-constellations such as Starlink by SpaceX and Kuiper by Amazon rely on optical Inter-Satellite Links ISLs for autonomous mesh routing to provide low-latency telecommunication, Internet of Things IoT, and security services globally. As commercial operators and governments...

5.8AI score

Exploits0

RedhatCVE•added 2026/04/09 7:23 p.m.•3 views

CVE-2026-27806

Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the...

NVD•added 2026/04/08 7:25 p.m.•2 views

CVE-2026-27806

7.8CVSS0.00111EPSS

EUVD•added 2026/04/08 6:3 p.m.•2 views

EUVD-2026-20540

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit...

7.8CVSS5.9AI score0.00111EPSS

OSV•added 2026/04/08 6:3 p.m.•4 views

GHSA-RPHV-H674-5HP2 Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the password is inserted into Tcl brace-quoted send %s, a...

Github Security Blog•added 2026/04/08 6:3 p.m.•4 views

Exploits0References2

Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

7.8CVSS6.1AI score0.00111EPSS

Exploits0References2Affected Software1

CVE•added 2026/04/08 5:40 p.m.•19 views

CVE-2026-27806

Fleet Orbit is affected prior to version 4.81.1 where the Orbit agent’s FileVault rotation flow collects a local user’s password through a GUI dialog and interpolates it into a Tcl/expect script executed via exec.Command("expect", "-c", script). The password is inserted into a Tcl brace-quoted se...

Exploits0References1Affected Software1

Cvelist•added 2026/04/08 5:40 p.m.•17 views

CVE-2026-27806 Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

7.8CVSS0.00111EPSS

Vulnrichment•added 2026/04/08 5:40 p.m.•1 views

CVE-2026-27806 Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit

Positive Technologies•added 2026/04/08 12:0 a.m.•3 views

PT-2026-31406

Patchstack•added 2026/02/02 8:36 p.m.•5 views

WordPress Orbit Fox by ThemeIsle plugin <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via form widget addr2_width attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via form widget addr2width attribute vulnerability discovered by wesley wcraft in WordPress Plugin Orbit Fox by ThemeIsle versions = 2.10.30...

6.4CVSS7.1AI score0.00532EPSS

Exploits0References1Affected Software1

RedhatCVE•added 2026/01/07 9:15 a.m.•13 views

CVE-2024-2126

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.8AI score0.00423EPSS