CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added 18 hours ago•24 views

CandidATS 3.0.0 - Cross-Site Scripting

CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.4AI score0.01071EPSS

Exploits1References5

Nuclei•added 18 hours ago•25 views

WordPress Plugin Category Grid View Gallery 2.3.1 - Cross-Site Scripting

A cross-site scripting vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. id: CVE-2013-4117 info: name: WordPress Plugin Category Grid View Gallery 2.3.1 -...

4.3CVSS5.9AI score0.12974EPSS

Exploits0References5

Nuclei•added 18 hours ago•9 views

AffiliateImporterEb <= 1.0.6 - Reflected XSS

AffiliateImporterEb WordPress plugin through 1.0.6 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12732 info: name: AffiliateImporterEb =...

6.1CVSS5.8AI score0.00521EPSS

Exploits1References1

NVD•added yesterday•9 views

CVE-2026-4983

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a maliciou...

5.4CVSS

Exploits1References1

NVD•added 2 days ago•4 views

CVE-2026-48167

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant...

6.4CVSS0.00148EPSS

NVD•added 2 days ago•6 views

CVE-2026-52725

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component...

5.3CVSS0.00404EPSS

NVD•added 4 days ago•10 views

CVE-2026-56347

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site...

6.1CVSS0.00167EPSS

AstraLinux•added 5 days ago•6 views

Astra Linux – Vulnerability in Firefox

Because Firefox did not implement the unsafe-hashes CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy might have been able to inject executable scripts. This would be severely restricted by the specified Content Security Policy o...

8.8CVSS7.8AI score0.00697EPSS

NVD•added 6 days ago•10 views

CVE-2026-22674

Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARDREGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attacke...

4.8CVSS0.00177EPSS

ATTACKERKB•added 6 days ago•7 views

CVE-2026-22674

4.8CVSS6AI score0.00177EPSS

Exploits0References4

EUVD•added 6 days ago•8 views

EUVD-2026-37882

UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing. Because vendor contact attempts were...

5.1CVSS5.3AI score0.00293EPSS

SUSE CVE•added 6 days ago•6 views

SUSE CVE-2026-12459

Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: High...

6.1CVSS5.5AI score0.00181EPSS

CVE•added last week•17 views

CVE-2026-48768

TypeBot (versions ≤ 3.16.1) exposes an unauthenticated generate-upload-url API (/api/blocks/file-input/v3/generate-upload-url) that uses unsanitized fileName to derive public S3 keys and issues presigned PUT URLs that do not bind Content-Type. This allows anonymous users of a published bot with a...

9.3CVSS5.4AI score0.00268EPSS

EUVD•added 2026/06/17 6:35 p.m.•7 views

EUVD-2026-37544

6.1CVSS5.5AI score0.00181EPSS

NVD•added 2026/06/17 3:16 p.m.•7 views

CVE-2026-35065

Dell PowerFlex Manager, versions Versions, contains a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Code execution, Denial of service, Information disclosure, Informatio...

8.8CVSS0.00334EPSS

Cvelist•added 2026/06/17 3:10 p.m.•16 views

CVE-2026-35069

Dell PowerFlex Manager, versions Versions, contains an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection...

5.7CVSS0.00229EPSS