CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

20040 matches found

EUVD•added 2026/04/24 4:57 p.m.•1 views

EUVD-2026-25573

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS5.5AI score0.00189EPSS

Exploits1References1

CNNVD•added 2026/04/24 12:0 a.m.•5 views

WordPress plugin ITERAS 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.8AI score0.00257EPSS

Exploits0References1

EUVD•added 2026/04/23 6:30 p.m.•7 views

EUVD-2026-25273

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields which includes an...

8.7CVSS5.8AI score0.00163EPSS

Exploits0References1

Snyk•added 2026/04/23 3:7 p.m.•3 views

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization of inline in the BaseCookie.jsoutput function. An attacker can inject arbitrary script content by supplying specially crafted input containing HTML parser-sensitive sequences. Remediation A fix was pushed into th...

6.8CVSS5.6AI score0.00229EPSS

Exploits1References2

EUVD•added 2026/04/22 9:32 p.m.•0 views

EUVD-2026-25079

http.cookies.Morsel.jsoutput returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value...

2.1CVSS5.7AI score0.00229EPSS

Exploits1References5

Vulnrichment•added 2026/04/22 7:28 p.m.•2 views

CVE-2026-6019 BaseCookie.js_output() does not neutralize embedded characters

2.1CVSS5.7AI score0.00229EPSS

Exploits1References6

CVE•added 2026/04/22 7:28 p.m.•31 views

CVE-2026-6019

CVE-2026-6019 affects Python’s http.cookies.Morsel.js_output(), which can emit an inline sequence inside the generated script. Public sources indicate the fix is included in Python updates bundled in SUSE’s python39/python3 advisories (SUSE-SU-2026:1818-1) and OSV entries, with mitigation noting...

6.1CVSS5.7AI score0.00229EPSS

Exploits1References6Affected Software1

NVD•added 2026/04/22 10:16 a.m.•1 views

CVE-2026-1395

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's blockid attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduce...

6.4CVSS0.0024EPSS

Exploits0References5

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24702

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS5.9AI score0.00235EPSS

Exploits0References5

EUVD•added 2026/04/22 9:31 a.m.•1 views

EUVD-2026-24686

The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The...

6.4CVSS5.9AI score0.00235EPSS

Exploits0References6

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24656

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

6.1CVSS5.7AI score0.00243EPSS

Exploits0References18

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24648

The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the swiffy shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'n', 'w', 'h'. These attributes are...

6.4CVSS5.9AI score0.00288EPSS

Exploits0References6

EUVD•added 2026/04/22 9:31 a.m.•2 views

EUVD-2026-24635

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS

Exploits0References3

NVD•added 2026/04/22 9:16 a.m.•2 views

CVE-2026-6041

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

4.4CVSS0.0025EPSS

Exploits0References3

NVD•added 2026/04/22 9:16 a.m.•1 views

CVE-2026-4142

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...

4.4CVSS0.00326EPSS

Exploits0References11

NVD•added 2026/04/22 9:16 a.m.•2 views

CVE-2026-5820

The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via innerText and inserting it into the page using innerHTML...

6.4CVSS0.00227EPSS

Exploits0References3

NVD•added 2026/04/22 9:16 a.m.•3 views

CVE-2026-4089

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...

6.4CVSS0.00288EPSS

Exploits0References5

NVD•added 2026/04/22 9:16 a.m.•3 views

CVE-2026-4090

6.1CVSS0.00243EPSS

Exploits0References17

NVD•added 2026/04/22 9:16 a.m.•3 views

CVE-2026-4074

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Th...

6.4CVSS0.00378EPSS

Exploits0References13

Vulnrichment•added 2026/04/22 7:45 a.m.•1 views

CVE-2026-4074 Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS5.9AI score0.00378EPSS

Exploits0References13

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by