CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

149 matches found

Cvelist•added 2026/06/09 5:13 p.m.•35 views

CVE-2026-34694 Adobe Experience Manager Forms JEE | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's...

4.8CVSS0.00175EPSS

Exploits0References1

Cvelist•added 2026/06/08 7:6 a.m.•44 views

CVE-2026-41723 VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations...

8CVSS0.00399EPSS

Exploits0References1

NVD•added 2026/06/03 12:16 a.m.•10 views

CVE-2026-7421

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the getshopurl method returning the shopname setting value without sanitization when it begins with "http", combined with insufficient validation in th...

4.4CVSS0.00208EPSS

Exploits0References7

NVD•added 2026/05/02 5:16 a.m.•7 views

CVE-2026-4658

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block essential-blocks/add-to-cart in all versions up to, and including, 6.0.4. This...

6.4CVSS0.00419EPSS

Exploits0References10

Vulnrichment•added 2026/03/21 3:27 a.m.•2 views

CVE-2026-1911 Twitter Feeds <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute

The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweettitle' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6AI score0.00187EPSS

Exploits0References3

NVD•added 2026/03/11 1:16 a.m.•1 views

CVE-2026-27259

Rejected reason: This CVE ID was issued in error by its CVE Numbering Authority...

0.0003EPSS

Exploits0

OSV•added 2026/01/23 2:28 a.m.•4 views

GO-2026-4312 Envoy Extension Policy lua scripts injection causes arbitrary command execution in github.com/envoyproxy/gateway

Envoy Extension Policy lua scripts injection causes arbitrary command execution in github.com/envoyproxy/gateway...

8.8CVSS5.8AI score0.00481EPSS

Exploits1References2

RedhatCVE•added 2026/01/07 9:14 a.m.•12 views

CVE-2024-2623

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization an...

6.4CVSS5.8AI score0.00446EPSS

Exploits0References1

RedhatCVE•added 2026/01/07 9:14 a.m.•7 views

CVE-2024-2249

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including, 1.3.7.4 due to insufficient input sanitization and output escaping the user supplied attribute. Th...

6.4CVSS5.8AI score0.0032EPSS

Exploits0References1

RedhatCVE•added 2025/12/27 12:5 a.m.•21 views

CVE-2025-65885

An issue was discovered in the Delight Custom Firmware CFW for Nokia Symbian Belle devices on Nokia 808 Delight v1.8, Nokia N8 Delight v6.7, Nokia E7 Delight v1.3, Nokia C7 Delight v6.7, Nokia 700 Delight v1.2, Nokia 701 Delight v1.1, Nokia 603 Delight v1.0, Nokia 500 Delight v1.2, Nokia E6 Delig...

5.1CVSS6.7AI score0.00119EPSS

Exploits0References1

NVD•added 2025/11/21 8:15 a.m.•1 views

CVE-2025-12661

The Pollcaster Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'pollcaster' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

6.4CVSS0.00194EPSS

Exploits0References3

RedhatCVE•added 2025/10/16 8:33 a.m.•2 views

CVE-2025-10141

The Digiseller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ds' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

6.4CVSS6.1AI score0.00274EPSS

Exploits0References1

CVE•added 2025/10/07 11:13 p.m.•13 views

CVE-2025-61996

CVE-2025-61996 affects OPEXUS FOIAXpress prior to 11.13.3.0. An administrative user can inject JavaScript or other content into the Annual Report Template, with injected content executed in other users’ sessions when they generate an Annual Report. This constitutes a stored XSS exposure that coul...

4.8CVSS6.3AI score0.0022EPSS

Exploits0References3Affected Software1