CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

20041 matches found

EUVD•added 2026/03/13 8:50 p.m.•5 views

EUVD-2026-11732

Statamic vulnerable to privilege escalation via stored cross-site scripting...

5.4CVSS5.6AI score0.0023EPSS

Exploits2References2

NVD•added 2026/03/13 7:54 p.m.•4 views

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1 in the custom CSS setting to execute arbitrary JavaScript i...

5.5CVSS0.00222EPSS

Exploits0References3

ATTACKERKB•added 2026/03/13 1:18 a.m.•4 views

CVE-2026-22209

5.5CVSS5.6AI score0.00222EPSS

Exploits0References6

CVE•added 2026/03/12 9:29 p.m.•88 views

CVE-2026-32308

OneUptime prior to version 10.0.23 is affected by a Stored XSS in the Markdown viewer’s Mermaid diagram rendering. The renderer uses securityLevel: "loose" and injects Mermaid SVG output via innerHTML, allowing interactive bindings and enabling XSS via Mermaid’s click directive to execute arbitra...

7.6CVSS6AI score0.00224EPSS

Exploits1References1Affected Software1

Vulnrichment•added 2026/03/12 6:0 a.m.•4 views

CVE-2026-2687 Reading progressbar < 1.3.1 - Admin+ Stored XSS

The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.8AI score0.00138EPSS

Exploits0References1

ATTACKERKB•added 2026/03/11 8:51 p.m.•3 views

CVE-2026-32125

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input POST and later rendered in Dygraph charts titles/labels using innerHTML or equivalent without...

5.4CVSS5.8AI score0.00162EPSS

Exploits1References2Affected Software1

ATTACKERKB•added 2026/03/11 8:24 a.m.•7 views

CVE-2026-1454

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfbleadsanitize function which omits certain...

7.2CVSS5.9AI score0.00241EPSS

Exploits0References5

CVE•added 2026/03/11 8:24 a.m.•13 views

CVE-2026-1454

Affected product: WordPress plugin “Responsive Contact Form Builder & Lead Generation Plugin” (Lead Form Builder); vulnerable in all versions up to 2.0.1. Root cause: insufficient input sanitization in lfb_lead_sanitize() (omits certain field types from its whitelist) and an overly permissive wp_...

7.2CVSS5.9AI score0.00241EPSS

Exploits0References4

Vulnrichment•added 2026/03/11 7:36 a.m.•2 views

CVE-2026-2918 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the haconditionupdate AJAX action. This is due to the validatereqeust method using currentusercan'editposts', $templateid instead of...

6.4CVSS5.8AI score0.00193EPSS

Exploits0References6

Snyk•added 2026/03/11 4:39 a.m.•2 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS. Adobe Vulnerability Report:This vulnerability could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form field...

8.2CVSS5.5AI score0.00382EPSS

Exploits0References2

EUVD•added 2026/03/11 3:31 a.m.•2 views

EUVD-2026-11019

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

5.4CVSS5.8AI score0.0003EPSS

Exploits0References2

EUVD•added 2026/03/11 3:31 a.m.•1 views

EUVD-2026-10996

5.4CVSS5.8AI score0.00167EPSS

Exploits0References2

EUVD•added 2026/03/11 3:31 a.m.•2 views

EUVD-2025-208558

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS5.7AI score0.00211EPSS

Exploits0References5

Cvelist•added 2026/03/11 1:22 a.m.•25 views

CVE-2026-2324 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reloadpreview function. This makes it possible for...

6.1CVSS0.00095EPSS

Exploits0References2