CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

263 matches found

CVE•added 2026/06/11 5:3 a.m.•16 views

CVE-2026-40986

Spring Web Flow vulnerability: JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not text/html, enabling a scripting attack if server error details containing attacker-reflected input are returned. Affected versions: Spring Web Flow 4.0.0; 3.0.0–3....

4.8CVSS5.3AI score0.00201EPSS

Exploits0References1

Cvelist•added 2026/06/11 5:3 a.m.•25 views

CVE-2026-40986 Spring Web Flow JS RemotingHandler renders non-HTML Response as HTML

Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker...

4.8CVSS0.00201EPSS

Exploits0References1

CNNVD•added 2026/06/01 12:0 a.m.•7 views

Orca Energija Orca heat pump 安全漏洞

Orca Energija Orca heat pump is a series of air-to-water heat pump systems developed by Orca Energija. There are security vulnerabilities in Orca Energija Orca heat pumps. These vulnerabilities stem from the lack of authentication and plaintext data transmission. Combined with the absence of...

6.3CVSS5.3AI score0.00114EPSS

Exploits0References1

NVD•added 2026/05/14 3:16 p.m.•12 views

CVE-2026-41932

Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser controller copies raw POST username values into the displayname field before sanitization occurs. Attackers can submit HTML and script markup in the username field durin...

6.1CVSS0.00218EPSS

Exploits0References3

NVD•added 2026/04/13 9:16 p.m.•2 views

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

5.4CVSS0.00138EPSS

Exploits0References2

NVD•added 2026/04/02 9:16 p.m.•2 views

CVE-2026-30251

A reflected cross-site scripting XSS vulnerability in the loginnewpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codiceazienda parameter...

6.1CVSS0.00194EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:8 p.m.•3 views

CVE-2026-2837

The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...

4.4CVSS5.9AI score0.00154EPSS

Exploits0References1

Cvelist•added 2026/03/23 11:25 p.m.•30 views

CVE-2026-3533 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on importpopuptemplates function as well as insufficient file type validation in the uploadfiles function in all versions up to, and including, 4.14.1. This makes it possible for Authenticat...

8.8CVSS0.00676EPSS

Exploits0References4

Positive Technologies•added 2026/03/07 12:0 a.m.•4 views

PT-2026-23840

The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's myqtip shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00159EPSS

Exploits0References3

GithubExploit•added 2026/02/06 7:40 a.m.•135 views

davids-xss-attack-defense

XSS Attack & Defense EXPERIMENT 1: Stored XSS Attack aler...

5.2AI score

Exploits0

RedhatCVE•added 2026/01/09 10:19 a.m.•8 views

CVE-2019-18664

The Log module in SECUDOS DOMOS before 5.6 allows XSS...

5.4CVSS7AI score0.00575EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:24 a.m.•12 views

CVE-2023-40314

Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon installation instructions state that...

6.1CVSS6.4AI score0.00435EPSS

Exploits0References1

CVE•added 2025/12/30 10:42 p.m.•8 views

CVE-2022-50802

ETAP Safety Manager 1.0.0.32 is affected by an unauthenticated reflected XSS in the 'action' GET parameter. The vulnerability allows injection of HTML/JavaScript to execute in victims’ browsers, potentially leaking credentials or enabling unauthorized actions. The issue is documented across multi...

6.1CVSS6.2AI score0.00297EPSS

Exploits1References6Affected Software1

Tenable Nessus•added 2025/11/13 12:0 a.m.•7 views

HP Integrated Lights-Out Improper Neutralization of Input During Web Page Generation (CVE-2021-29206)

"A remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 iLO 4 %NASLMINLEVEL 80900 C Tenable, Inc. include'compat.inc'; if description scriptid504401; scriptversion"1.1"; scriptsetattributeattribute:"pluginmodificationdate", value:"2025/11/13"; scriptcveid"CVE-2021-29206";...

4.8CVSS5.3AI score0.00653EPSS

Exploits0References2

RedhatCVE•added 2025/11/12 2:3 p.m.•21 views

CVE-2025-9227

Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor...

6.5CVSS6AI score0.0036EPSS

Exploits0References1