CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 5 days ago•32 views

CVE-2026-8981 Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML

0.00027EPSS

CVE•added 5 days ago•18 views

CVE-2026-41539

CVE-2026-41539 is a cross-site scripting (XSS) vulnerability affecting several QNAP operating system versions. The issue impacts QTS 5.2.9.3492+ and QuTS hero releases: h5.2.9.3499+, h5.3.4.3500+, and h6.0.0.3500+, all built around 2026-05-07 to 2026-05-20. Root cause and technical details are no...

8.7CVSS5.2AI score0.00073EPSS

Exploits0References1Affected Software1

Cvelist•added 5 days ago•32 views

CVE-2026-41539 QTS, QuTS hero

A cross-site scripting XSS vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS...

8.7CVSS0.00073EPSS

Vulnrichment•added 5 days ago•4 views

CVE-2026-41539 QTS, QuTS hero

8.7CVSS5.2AI score0.00073EPSS

EUVD•added 5 days ago•6 views

EUVD-2026-35350

8.7CVSS5.2AI score0.00073EPSS

IBM Security Bulletins•added 5 days ago•3 views

Security Bulletin: IBM Automation Decision Services for May 2026- Multiple CVEs addressed

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Automation Decision Services. See full list below. Vulnerability Details CVEID:CVE-2025-46295 DESCRIPTION: Apache Commons Text versions prior to 1.10.0 included...

9.8CVSS6.1AI score0.94251EPSS

Exploits42Affected Software1

CVE-2026-8977

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninjagdprajaxactions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls function, combined with insufficient input...

6.4CVSS0.00032EPSS

Exploits0References5

CVE-2026-8895

The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are...

CVE-2026-7662

The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the epaperflipembed shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute whic...

NVD•added 5 days ago•16 views

CVE-2026-8841

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

NVD•added 5 days ago•7 views

CVE-2026-8883

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the...

6.4CVSS0.00032EPSS

Exploits0References5

NVD•added 5 days ago•11 views

CVE-2026-8880

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute and other attributes of the romancartbutton shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-8882

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

NVD•added 5 days ago•6 views

CVE-2026-41845

Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3....

7.1CVSS0.00032EPSS

NVD•added 5 days ago•7 views

CVE-2026-41846

Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting XSS vulnerability. Affected versions: Spring Framework 7.0.0 through...

6.1CVSS0.00032EPSS

NVD•added 5 days ago•6 views

CVE-2026-10738

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier '...' Syntax in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00032EPSS

Exploits0References5

OSV•added 5 days ago•3 views

UBUNTU-CVE-2026-41845

7.1CVSS5.3AI score0.00032EPSS

OSV•added 5 days ago•3 views

UBUNTU-CVE-2026-41846

6.1CVSS5.4AI score0.00032EPSS

OSV•added 5 days ago•3 views

UBUNTU-CVE-2026-41839

A WebFlux application with a compromised subdomain for example, compromised via cross-site scripting XSS is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0...

4.2CVSS5.2AI score0.00027EPSS