CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/03/18 8:17 p.m.•6 views

mo has a XSS via inline SVG script tags in Markdown rendering

Summary When rendering Markdown files containing inline SVG elements with tags, the embedded JavaScript is executed in the browser. This is due to rehype-raw passing raw HTML including SVG through to the DOM without sanitization. PoC html alert1 Embedding the above in a Markdown file opened with ...

5.9AI score

Exploits0References2Affected Software1

OSV•added 2026/03/18 8:17 p.m.•1 views

GHSA-VCCX-P757-PV6H mo has a XSS via inline SVG script tags in Markdown rendering

2.3CVSS5.9AI score

EUVD•added 2026/03/18 6:31 p.m.•5 views

EUVD-2026-12831

When a plugin is installed using the Arturia Software Center MacOS, it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the...

NVD•added 2026/03/18 4:16 p.m.•5 views

Exploits1References2

CVE-2026-24063

8.2CVSS0.00013EPSS

Cvelist•added 2026/03/18 3:33 p.m.•15 views

CVE-2026-24063 World-writable uninstall script executed as root in Arturia Software Center

0.00013EPSS

Vulnrichment•added 2026/03/18 3:33 p.m.•4 views

CVE-2026-24063 World-writable uninstall script executed as root in Arturia Software Center

5.9AI score0.00013EPSS

ATTACKERKB•added 2026/03/18 3:33 p.m.•4 views

CVE-2026-24063

Exploits1References2Affected Software1

CVE•added 2026/03/18 3:33 p.m.•7 views

CVE-2026-24063

The CVE concerns Arturia Software Center on macOS. A plugin install creates an uninstall.sh script in a root-owned path with 777 permissions, writable by any user. During plugin uninstall, the Privileged Helper is instructed to execute this script. If an attacker manipulates the script, this can ...

EUVD•added 2026/03/18 9:30 a.m.•2 views

EUVD-2026-12791

A stored cross‑site scripting XSS vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to create a trunk entry containing malicious HTML/JavaScript code. When the affected page is viewed, the injected script executes in the context of the victim’...

7.1CVSS5.8AI score0.00034EPSS

Veracode•added 2026/03/18 6:44 a.m.•4 views

Cross-Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user input in the search input box used for creating tags and branches, where v-html is used instead of v-text, which allows an attacker to inject and execute malicious scripts in the...

5.4CVSS7.4AI score0.00008EPSS

Exploits0References4Affected Software1

OSSF Malicious Packages•added 2026/03/18 6:42 a.m.•4 views

Malicious code in rowrap (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 606ce541a3ef4a98e4e1639e96c6431e7ec83be6f987c640a63c03991eae4f6e The package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it...

5.9AI score

OSV•added 2026/03/18 6:42 a.m.•4 views

MAL-2026-1544 Malicious code in rowrap (PyPI)

5.9AI score

EUVD•added 2026/03/18 3:32 a.m.•4 views

EUVD-2026-12742

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmzacustomjs’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the...

6.4CVSS5.9AI score0.00043EPSS

Cvelist•added 2026/03/18 3:5 a.m.•29 views

CVE-2026-31938 jsPDF has HTML Injection in New Window paths

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

9.6CVSS0.00051EPSS

Cvelist•added 2026/03/18 1:24 a.m.•26 views

CVE-2026-4268 WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings

6.4CVSS0.00043EPSS

EUVD•added 2026/03/18 12:30 a.m.•2 views

EUVD-2026-12651

Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the systemnameset.cgi script that allows attackers to inject arbitrary script code by manipulating the sysName parameter. Attackers can send a crafted POST request with malicious script...

5.4CVSS5.8AI score0.00017EPSS

Exploits0References4

CNNVD•added 2026/03/18 12:0 a.m.•4 views

Arturia Software Center 安全漏洞

Arturia Software Center is an application developed by the French company Arturia, used for managing, installing, and updating music production software and plugins. There is a security vulnerability in Arturia Software Center, which stems from improper permission settings in the uninstall.sh...

8.2CVSS5.8AI score0.00013EPSS

Positive Technologies•added 2026/03/18 12:0 a.m.•4 views

PT-2026-26025

The CRPaid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts ...

6.1CVSS6AI score0.001EPSS

Exploits0References5

Positive Technologies•added 2026/03/18 12:0 a.m.•6 views

PT-2026-26067