CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 3 hours ago•2 views

CVE-2026-8653

The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS

Cvelist•added 4 hours ago•4 views

CVE-2026-8653 MasterStudy LMS Pro Plus <= 4.8.20 - Authenticated (Instructor+) SQL Injection via 'columns' Parameter

6.5CVSS

CVE•added 4 hours ago•4 views

CVE-2026-8653

The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to a generic SQL Injection via the 'columns' parameter in all versions up to and including 4.8.20, caused by insufficient escaping of the user-supplied value and inadequate query preparation. Authenticated attackers with instructor-l...

EUVD•added 4 hours ago•3 views

EUVD-2026-34191

ATTACKERKB•added 4 hours ago•2 views

CVE-2026-8653

Positive Technologies•added 5 hours ago•2 views

PT-2026-46130

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS5.8AI score

Positive Technologies•added 5 hours ago•2 views

PT-2026-46129

RedhatCVE•added yesterday•4 views

CVE-2026-10209

A vulnerability has been found in code-projects Online Hospital Management System 1.0. Affected is an unknown function of the file appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. The attack is possible to be carried out...

6.5CVSS6.4AI score0.00033EPSS

RedhatCVE•added yesterday•2 views

CVE-2026-35716

A stack-based buffer overflow in the motionprivacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or...

6.3CVSS6.5AI score0.00053EPSS

RedhatCVE•added yesterday•2 views

CVE-2026-10258

A weakness has been identified in itsourcecode Content Management System 1.0. Impacted is an unknown function of the file /admin/addsubtopic.php. This manipulation of the argument topicid causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available ...

6.5CVSS5.7AI score0.00033EPSS

RedhatCVE•added yesterday•3 views

CVE-2026-10227

A vulnerability has been found in raisulislamg4 studentmanagementsystembyphp up to 310d950e09013d5133c6b9210aff9444382d16d1. The affected element is an unknown function of the file addusercheck.php of the component User Creation Handler. The manipulation of the argument role leads to sql injectio...

7.5CVSS5.4AI score0.00033EPSS

Nuclei•added yesterday•5 views

MapTiler Tileserver-php v2.0 - Unauthenticated XSS

MapTiler Tileserver-php v2.0 contains a reflected XSS caused by unencoded reflection of the GET parameter "layer" in an error message, letting unauthenticated attackers execute arbitrary script on victim browsers. id: CVE-2025-44136 info: name: MapTiler Tileserver-php v2.0 - Unauthenticated XSS...

9.8CVSS6AI score0.13017EPSS

Exploits2References2

Nuclei•added yesterday•7 views

YesWiki < 4.5.4 - Cross-Site Scripting

YesWiki 4.5.4 contains a reflected cross-site scripting caused by unsanitized idformulaire parameter in /?BazaR endpoint, letting attackers steal cookies and hijack sessions, exploit requires user to click malicious link. id: CVE-2025-46550 info: name: YesWiki 4.5.4 - Cross-Site Scripting author:...

6.1CVSS5.6AI score0.00352EPSS

Exploits1References2

Nuclei•added yesterday•23 views

CandidATS 3.0.0 - Cross-Site Scripting.

CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortBy parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.4AI score0.02714EPSS

Exploits1References4

Nuclei•added yesterday•28 views

Apache NiFi - Information Disclosure

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

5.4CVSS5.8AI score0.37606EPSS

Exploits0

Nuclei•added yesterday•8 views

Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting

Caldera Forms WordPress plugin 1.9.7 contains a reflected cross-site scripting caused by lack of validation and escaping of the cf-api parameter in responses, letting attackers execute arbitrary scripts in victim's browser, exploit requires attacker to craft a malicious request. id: CVE-2022-0879...

6.1CVSS6.5AI score0.00453EPSS

Exploits2References3

Nuclei•added yesterday•11 views

MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting

paintballrefjosh/MaNGOSWebV4 4.0.8 contains a reflected XSS caused by unsanitized input in install/index.php step parameter, letting attackers execute arbitrary scripts in the victim's browser, exploit requires victim to visit a maliciously crafted URL id: CVE-2017-6478 info: name: MaNGOSWebV4...

6.1CVSS6.6AI score0.03588EPSS

Exploits6References4

Nuclei•added yesterday•31 views

Leantime < 2.4 - Authenticated SQL Injection

Leantime is an open source project management system. A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impact...

6.5CVSS6.6AI score0.34414EPSS