CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1122467 matches found

WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting

WordPress Persian Woocommerce plugin through 5.8.0 contains a cross-site scripting vulnerability. The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard. An attacker can inject arbitrary script in the browser of an unsuspecting user in the...

6.1CVSS6.2AI score0.01875EPSS

Exploits2References4

Nuclei•added 18 hours ago•25 views

WordPress WooCommerce <1.13.22 - Cross-Site Scripting

WordPress WooCommerce before 1.13.22 contains a reflected cross-site scripting vulnerability via the slider import search feature because it does not properly sanitize the keyword GET parameter. id: CVE-2021-24300 info: name: WordPress WooCommerce 1.13.22 - Cross-Site Scripting author: cckuailong...

6.1CVSS6.1AI score0.03405EPSS

Exploits5References4

Nuclei•added 18 hours ago•24 views

WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting

A cross-site scripting vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. id: CVE-2012-4242 info: name: WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting author:...

4.3CVSS5.4AI score0.06071EPSS

Exploits3References4

Nuclei•added 18 hours ago•15 views

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider-account.php Username field. id: CVE-2018-20010 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD through version 4.11.01 is...

4.8CVSS5.7AI score0.00455EPSS

Exploits5References4

Nuclei•added 18 hours ago•21 views

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD 4.11.01 contains a cross-site scripting vulnerability via assets/add/account-owner.php Owner name field. id: CVE-2018-19749 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.11.01 contains a cross-site scripting...

4.8CVSS5.7AI score0.00236EPSS

Exploits6References5

Nuclei•added 18 hours ago•18 views

Centos Web Panel 0.9.8.480 - Local File Inclusion

Centos Web Panel version 0.9.8.480 suffers from local file inclusion vulnerabilities. Other vulnerabilities including cross-site scripting and remote code execution are also known to impact this version. id: CVE-2018-18323 info: name: Centos Web Panel 0.9.8.480 - Local File Inclusion author:...

7.5CVSS7.7AI score0.78382EPSS

Exploits2References5

Nuclei•added 18 hours ago•20 views

Paid Memberships Pro < 2.6.6 - Cross-Site Scripting

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting id: CVE-2021-24979 info: name: Paid Memberships Pro 2.6.6 - Cross-Site Scripting author: r3Y3r53 severity:...

6.1CVSS6.3AI score0.0269EPSS

Exploits2References3

Nuclei•added 18 hours ago•18 views

WordPress Car Repair Services & Auto Mechanic Theme <4.0 - Cross-Site Scripting

WordPress Car Repair Services & Auto Mechanic before 4.0 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the serviceestimatekey parameter before outputting it back in the page. id: CVE-2021-24335 info: name: WordPress Car Repair Services & Auto Mechanic Them...

6.1CVSS6.1AI score0.45442EPSS

Exploits2References5

Nuclei•added 18 hours ago•28 views

WordPress Supsystic Contact Form <1.7.15 - Cross-Site Scripting

WordPress Supsystic Contact Form plugin before 1.7.15 contains a cross-site scripting vulnerability. It does not sanitize the tab parameter of its options page before outputting it in an attribute. id: CVE-2021-24276 info: name: WordPress Supsystic Contact Form 1.7.15 - Cross-Site Scripting autho...

6.1CVSS6AI score0.08366EPSS

Exploits5References5

Nuclei•added 18 hours ago•25 views

phpPgAdmin <=4.1.1 - Cross-Site Scripting

phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via certain input available in PHPSELF in 1 redirect.php, possibly related to 2 login.php, which are different vectors than CVE-2007-2865. id:...

9.3CVSS5.4AI score0.04312EPSS

Exploits1References5

Nuclei•added 18 hours ago•39 views

Cherokee HTTPD <=0.5 - Cross-Site Scripting

Cherokee HTTPD 0.5 and earlier contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated. id: CVE-2006-1681 info:...

4.3CVSS5.4AI score0.0041EPSS

Exploits1References4

Nuclei•added 18 hours ago•21 views

Magento Server Mass Importer - Cross-Site Scripting

Magento Server Mass Importer plugin contains multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via the 1 profile parameter to web/magmi.php or 2 QUERYSTRING to web/magmiimportrun.php. id: CVE-2015-2068 info: name: Magento Server Mass...

4.3CVSS5.4AI score0.01944EPSS

Exploits1References4

Nuclei•added 18 hours ago•16 views

WordPress Active Products Tables for WooCommerce <1.0.5 - Cross-Site Scripting

WordPress Active Products Tables for WooCommerce plugin prior to 1.0.5 contains a cross-site scripting vulnerability.. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action, An attacker can inject arbitrary script in the browser of an...

6.1CVSS6.2AI score0.04572EPSS

Exploits1References4

Nuclei•added 18 hours ago•145 views

PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting

PKP Open Journal Systems 2.4.8 to 3.3 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary code via the X-Forwarded-Host Header. id: CVE-2022-24181 info: name: PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting author: lucasljm2001,ekrause severit...

6.1CVSS6.4AI score0.03575EPSS

Exploits3References5

Nuclei•added 18 hours ago•8 views

WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Cross-Site Scripting

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability. id: CVE-2022-0429 info: name: W...

6.1CVSS6.3AI score0.00446EPSS

Exploits2References3

Nuclei•added 18 hours ago•7 views

Liferay Portal & DXP - Cross-Site Scripting

Liferay Portal 7.4.0 through 7.4.3.133 and Liferay DXP 2024.Q1.1 through 2025.Q1.4 contain a reflected XSS caused by improper sanitization in entrycoverimagecaption.jsp, letting remote non-authenticated attackers inject JavaScript. id: CVE-2025-4576 info: name: Liferay Portal & DXP - Cross-Site...

6.9CVSS5.5AI score0.09045EPSS

Exploits0References2

Nuclei•added 18 hours ago•4 views

VvvebJs <= 2.0.5 - Cross-Site Scripting

Givanz Vvvebjs = 2.0.5 contains a stored XSS caused by manipulation of the "uploadAllowExtensions" argument in upload.php File Upload Endpoint, letting remote attackers execute scripts, exploit requires crafted input. id: CVE-2026-5615 info: name: VvvebJs = 2.0.5 - Cross-Site Scripting author:...

5.3CVSS5.4AI score0.01458EPSS

Exploits1References2

Nuclei•added 18 hours ago•3 views

Pi-hole Reflected XSS in 404-Error Page

Pi-hole Admin Interface = 6.2.1 contains a reflected XSS vulnerability on the 404 error page. The URL path is reflected unsanitized into the class attribute of the body tag, allowing attribute injection via a crafted URL to execute arbitrary JavaScript in victim browsers. id: CVE-2025-53533 info:...

6.1CVSS5.8AI score0.00479EPSS

Exploits2References2

Nuclei•added 18 hours ago•4 views

SiYuan Note - Cross-Site Scripting

Unauthenticated reflected cross-site scripting XSS vulnerability in all versions of SiYuan Note containing /api/icon/getDynamicIcon with unsafe type=8 rendering logic. Attacker-controlled content is inserted directly into SVG output without proper sanitization. An attacker can execute arbitrary...

9.3CVSS7.7AI score0.00462EPSS

Exploits1References2

Nuclei•added 18 hours ago•5 views

Blesta <= 5.13.1 - Cross-Site Scripting

Blesta 3.x through 5.x before 5.13.3 contains an input validation vulnerability caused by mishandling input, letting attackers potentially exploit the system, exploit requires unspecified conditions. id: CVE-2026-25616 info: name: Blesta = 5.13.1 - Cross-Site Scripting author: 0xAkoko severity:...

6.1CVSS5.4AI score0.0246EPSS

Exploits1References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by