Lucene search
K

1487 matches found

CNNVD
CNNVD
added 2026/05/27 12:0 a.m.12 views

WordPress plugin Felan Framework 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...

7.1CVSS5.7AI score0.0018EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.13 views

WordPress plugin Gutenverse 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.1CVSS5.7AI score0.00204EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/26 11:47 p.m.8 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the REST API search and collection query endpoints. An attacker can execute arbitrary methods on model objects by supplying crafted queries, potentiall...

8.8CVSS6AI score0.0007EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/05/26 11:45 a.m.78 views

XSSaudit

XSSAudit v2.0 — Advanced XSS Vulnerability Scanner For au...

6AI score
Exploits0
OSV
OSV
added 2026/05/23 12:8 a.m.9 views

GHSA-W4G9-MXGG-J532 Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

Summary nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers...

8.5CVSS5.8AI score0.0027EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.8 views

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of the frmaddstr POST parameter in the ics214.php file, allowing uncleane...

5.4CVSS5.8AI score0.00259EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.37 views

CVE-2026-8626 SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS0.00266EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/20 1:25 a.m.11 views

EUVD-2026-31024

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS6AI score0.00266EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.15 views

PT-2026-42083

Name of the Vulnerable Software and Affected Versions SponsorMe versions prior to 0.5.3 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. This occurs when a user is tricked into clicking a crafted link. The...

6.1CVSS5.9AI score0.00266EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.11 views

Beyaz CityPLus 跨站脚本漏洞

Beyaz CityPLus is a comprehensive management information system developed by the Turkish company Beyaz. Versions of Beyaz CityPLus prior to V24.29750.1.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper input during the web page generation process, and coul...

7.6CVSS5.7AI score0.00225EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.10 views

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of Tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from a reflection-based cross-site scripting flaw in the addfacnote.php file. It could...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.9 views

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of Tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from a reflection-based cross-site scripting flaw in the opena.php file. It could allo...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.9 views

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from a reflection-based cross-site scripting flaw in the dounitmail.php file. It could...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.11 views

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of Tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from a reflection-based cross-site scripting vulnerability in the search.php file. It...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.9 views

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from a reflection-based cross-site scripting vulnerability in the single.php file. It...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.12 views

WordPress plugin VatanSMS WP SMS 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.1CVSS5.6AI score0.00275EPSS
Exploits0References1
OSV
OSV
added 2026/05/18 4:41 p.m.10 views

GHSA-3V9W-6365-9W54 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Summary In a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that: - Sends an HTTP POST to the supplied URL with attacker-controlle...

8.6CVSS5.8AI score0.01491EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/18 4:41 p.m.19 views

Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Summary In a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that: - Sends an HTTP POST to the supplied URL with attacker-controlle...

8.6CVSS5.8AI score0.01491EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/18 2:19 p.m.5 views

GHSA-Q2PJ-8V84-9MH5 Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover

Summary The unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a element of the embedded logo.svg, allowing an attacker to close the style block an...

8.2CVSS6AI score0.00185EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/18 12:26 p.m.75 views

Exploit for Origin Validation Error in Langflow

CVE-2025-34291corssecurityscanner A lightweight Python-base...

9.4CVSS7.5AI score0.7889EPSS
Exploits3
Rows per page
Query Builder