CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

115 matches found

CVE-2026-48613

SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated ...

5.9CVSS

Exploits0References1

RedhatCVE•added 2026/05/18 7:59 p.m.•6 views

CVE-2025-67031

ORSEE Online Recruitment System for Economic Experiments 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix "func:" which are passed directly into an eval...

6.3CVSS5.8AI score0.00252EPSS

Exploits0References1

Vulnrichment•added 2026/04/20 6:31 p.m.•1 views

CVE-2026-6248 wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store ...

8.1CVSS6.6AI score0.00505EPSS

Exploits0References5

ATTACKERKB•added 2026/04/04 1:51 p.m.•2 views

CVE-2018-25252

FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can create a malicious site profile containing 500 bytes of repeated characters and paste it into the IP...

6.9CVSS6.1AI score0.00048EPSS

Exploits1References4Affected Software1

Positive Technologies•added 2026/04/04 12:0 a.m.•5 views

PT-2026-30372

6.9CVSS6.1AI score0.00048EPSS

Exploits1References5

EUVD•added 2026/03/25 7:52 p.m.•2 views

EUVD-2026-14494

AVideo vulnerable to Stored XSS via htmlentitydecode Reversing xssesc Sanitization in Channel About Field...

5.4CVSS5.8AI score0.00041EPSS

Exploits1References3

Cvelist•added 2026/01/28 11:23 a.m.•32 views

CVE-2026-0844 Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field

The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profilesavefield' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to...

8.8CVSS0.00079EPSS

Exploits0References4

ATTACKERKB•added 2026/01/26 5:43 p.m.•2 views

CVE-2020-36960

Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the profile is viewed by other users...

6.4CVSS6AI score0.00052EPSS

Exploits0References3

CVE•added 2026/01/14 12:0 a.m.•6 views

CVE-2025-63644

CVE-2025-63644 is a stored XSS in pH7Software pH7-Social-Dating-CMS 17.9.1, specifically in the user profile Description field. The CVE entry lists CVSS v3.1 details: AV:N, AC:L, PR:L, UI:R, S:C, C:L/I:L, A:N with a base score of 5.4 (Medium). The root cause is a vulnerability in the Description ...

5.4CVSS5.3AI score0.00016EPSS

Exploits1References2Affected Software1

Cvelist•added 2026/01/14 12:0 a.m.•30 views

CVE-2025-63644

A stored cross-site scripting XSS vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field...

0.00016EPSS

Exploits1References2

Vulnrichment•added 2025/12/17 6:21 p.m.•2 views

CVE-2025-13217 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input...

6.4CVSS4.7AI score0.00031EPSS

Exploits0References3

CVE•added 2025/12/17 6:21 p.m.•14 views

CVE-2025-13217

The CVE CVE-2025-13217 is an authenticated Stored XSS in Ultimate Member for WordPress, triggered via the YouTube video URL field in profile-related input. The issue arises from insufficient input sanitization and output escaping in um_profile_field_filter_hook__youtube_video(), allowing Subscrib...

6.4CVSS4.7AI score0.00031EPSS

Exploits0References3

Cvelist•added 2025/12/17 6:21 p.m.•26 views

CVE-2025-13217 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'

6.4CVSS0.00031EPSS

Exploits0References3

EUVD•added 2025/10/07 12:30 a.m.•2 views

EUVD-2018-18402

Malware in sbrugna...

5.4CVSS5.5AI score0.00181EPSS

Exploits4References3

EUVD•added 2025/10/07 12:30 a.m.•3 views