CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/27 9:27 a.m.•10 views

EUVD-2026-32175

6.1CVSS6AI score0.00256EPSS

Vulnrichment•added 2026/05/27 9:27 a.m.•7 views

CVE-2026-2288 myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter

The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linktitle' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access...

4.8CVSS6AI score0.0023EPSS

Exploits0References5

Vulnrichment•added 2026/05/27 9:27 a.m.•10 views

CVE-2026-3349 MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter

6.1CVSS6AI score0.00256EPSS

NVD•added 2026/05/27 8:16 a.m.•15 views

CVE-2026-40824

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table...

7CVSS0.00239EPSS

NVD•added 2026/05/27 8:16 a.m.•12 views

CVE-2026-40812

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

8.7CVSS0.0032EPSS

NVD•added 2026/05/27 8:16 a.m.•13 views

CVE-2026-40813

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

8.7CVSS0.0032EPSS

Cvelist•added 2026/05/27 7:54 a.m.•28 views

CVE-2026-40830 Authenticated SQLi in UpdateParam function

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical...

7CVSS0.00295EPSS

ATTACKERKB•added 2026/05/27 7:53 a.m.•11 views

CVE-2026-40829

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical...

7CVSS6AI score0.00295EPSS

Exploits0References2Affected Software4

Vulnrichment•added 2026/05/27 7:52 a.m.•7 views

CVE-2026-40825 Authenticated SQLi in accountstatus view

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table...

CVE•added 2026/05/27 7:52 a.m.•16 views

CVE-2026-40825

CVE-2026-40825 describes an unauthenticated SQL Injection in the accountstatus view devices parameter. The vulnerability arises from improper neutralization of special elements in a SQL UPDATE command, enabling reading the entire database and altering values in a non-critical table. Reported impa...

Cvelist•added 2026/05/27 7:50 a.m.•33 views

CVE-2026-40824 Authenticated SQLi in accountstatus view

7CVSS0.00239EPSS

ATTACKERKB•added 2026/05/27 7:50 a.m.•8 views

CVE-2026-40824

Exploits0References2Affected Software4

EUVD•added 2026/05/27 7:50 a.m.•14 views

EUVD-2026-32128

Vulnrichment•added 2026/05/27 7:45 a.m.•14 views

CVE-2026-8906 WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

6.1CVSS5.7AI score0.00119EPSS

Exploits0References5

CVE•added 2026/05/27 7:45 a.m.•20 views

CVE-2026-8906

The CVE-2026-8906 entry affects the WordPress WP Promoter plugin (versions up to 1.3). The root cause is missing or incorrect nonce validation enabling Cross-Site Request Forgery, allowing unauthenticated attackers to update settings and inject malicious scripts via forged requests (notably relat...

6.1CVSS5.7AI score0.00119EPSS

Exploits0References5

Cvelist•added 2026/05/27 7:45 a.m.•28 views

CVE-2026-3001 Gutenverse <= 3.4.6 - Reflected Cross-Site Scripting via 's' Parameter

The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the rendercontent method in class-search-result-title.php outputs the val...

6.1CVSS0.00204EPSS

EUVD•added 2026/05/27 7:45 a.m.•7 views

EUVD-2026-32114

6.1CVSS6AI score0.00204EPSS

ATTACKERKB•added 2026/05/27 7:45 a.m.•8 views

CVE-2026-3001

6.1CVSS6AI score0.00204EPSS

Exploits0References4

CVE•added 2026/05/27 7:45 a.m.•16 views

CVE-2026-3001

The CWE: CVE-2026-3001 affects the Gutenverse WordPress plugin, up to version 3.4.6. The vulnerability is a Reflected Cross-Site Scripting (XSS) in the search title block: render_content() echoes get_query_var('s') directly into HTML without escaping, enabling an attacker to craft a URL that inje...

6.1CVSS6AI score0.00204EPSS