CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

20037 matches found

NVD•added 2026/05/29 7:16 a.m.•16 views

CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS0.00205EPSS

Exploits0References6

Cvelist•added 2026/05/29 6:43 a.m.•31 views

CVE-2025-11262 Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS0.00233EPSS

Exploits1References3

Positive Technologies•added 2026/05/29 12:0 a.m.•9 views

PT-2026-44751

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter addToTags function. The function is hooked to wp he...

6.4CVSS6AI score0.00205EPSS

Exploits0References7

Tenable Nessus•added 2026/05/29 12:0 a.m.•7 views

Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-27136)

The version of CBL-Mariner Releases installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2026-27136 advisory. - Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML...

6.1CVSS5.9AI score0.00236EPSS

Exploits0References1

OSV•added 2026/05/28 11:16 p.m.•5 views

DEBIAN-CVE-2026-9971

Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: High...

5.4CVSS6AI score0.00159EPSS

Exploits0References1

CVE•added 2026/05/28 10:25 p.m.•23 views

CVE-2026-9971

CVE-2026-9971 affects Google Chrome on iOS prior to version 148.0.7778.216 due to an inappropriate implementation in iOS. This allows a remote attacker to exploit UXSS by convincing a user to perform specific UI gestures on a crafted HTML page. The vulnerability impacts UX and script/HTML injecti...

5.4CVSS6AI score0.00159EPSS

Exploits0References2Affected Software1

OSV•added 2026/05/27 10:49 p.m.•4 views

GHSA-2G95-6X5Q-XJWJ Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without enforcing a secure sandbox. An authenticat...

9.1CVSS6.2AI score0.00473EPSS

Exploits0References2

SUSE CVE•added 2026/05/27 12:57 p.m.•10 views

SUSE CVE-2026-44903

Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...

5.1CVSS5.9AI score0.00146EPSS

Exploits0References3

CVE•added 2026/05/27 9:27 a.m.•15 views

CVE-2026-3348

Summary: CVE-2026-3348 affects the MinhNhut Link Gateway WordPress plugin up to version 3.6.1. The issue is a Stored Cross-Site Scripting flaw caused by insufficient input sanitization and output escaping in plugin settings (Description, Title, and other fields). Exploitation requires authenticat...

4.4CVSS6AI score0.00237EPSS

Exploits0References3

NVD•added 2026/05/27 8:16 a.m.•12 views

CVE-2026-3375

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notifyccss and /wp-json/litespeed/v1/notifyucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notificatio...

7.2CVSS0.00252EPSS

Exploits0References8

EUVD•added 2026/05/27 7:45 a.m.•9 views

EUVD-2026-32116

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

6.1CVSS5.7AI score0.00119EPSS

Exploits0References5

ATTACKERKB•added 2026/05/27 7:45 a.m.•9 views

CVE-2026-8906

6.1CVSS5.7AI score0.00119EPSS

Exploits0References6

NVD•added 2026/05/27 7:16 a.m.•10 views

CVE-2026-8703

The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access a...

6.4CVSS0.00187EPSS

Exploits0References3

CVE•added 2026/05/27 5:31 a.m.•14 views

CVE-2026-8886

CVE-2026-8886 affects the WordPress plugin hk_shortcode (v

6.4CVSS6AI score0.00198EPSS

Exploits0References3

EUVD•added 2026/05/27 5:31 a.m.•6 views

EUVD-2026-32091

The hkshortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankongpostshorttitleplane...

6.4CVSS6AI score0.00198EPSS

Exploits0References3

EUVD•added 2026/05/27 5:31 a.m.•7 views

EUVD-2026-32088

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' and 'button' shortcode attributes in the rspccheckshortcode...

6.4CVSS6AI score0.00204EPSS

Exploits0References4

Vulnrichment•added 2026/05/27 5:31 a.m.•7 views

CVE-2026-8845 Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within th...

6.4CVSS6AI score0.00187EPSS

Exploits0References3

ATTACKERKB•added 2026/05/27 5:31 a.m.•7 views

CVE-2026-8048

The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

6AI score0.00187EPSS

Exploits0References4

CVE•added 2026/05/27 5:31 a.m.•14 views

CVE-2026-8872

CVE-2026-8872 affects the WordPress plugin “Animate Your Content” (versions ≤ 1.0.0). The vulnerability is a Stored Cross‑Site Scripting (XSS) flaw in the plugin’s animation-set shortcode. It arises from insufficient input sanitization and output escaping in the shortcode_args_to_html_attrs() fun...

6.4CVSS6AI score0.00193EPSS

Exploits0References4

CVE•added 2026/05/27 5:31 a.m.•12 views

CVE-2026-8911

CVE-2026-8911 affects the WordPress plugin WP AutoBuzz (versions <= 1.1.1). The root cause is missing/incorrect nonce validation, enabling CSRF that can update settings and write unsanitized data via update_option, leading to a stored XSS via the googleAccount parameter and bypassing DISALLOW_...

6.1CVSS5.7AI score0.00145EPSS

Exploits0References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by