CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

409 matches found

CVE-2026-28511

CVE-2026-28511 affects eLabFTW. Before version 5.4.2, an authenticated user performing a numeric reference/search could receive results that include resources the user is not authorized to view. The exposed data is limited to resource titles; attempts to access the underlying protected content re...

4.3CVSS5.8AI score0.00027EPSS

Exploits0References1Affected Software1

EUVD•added 5 days ago•5 views

EUVD-2026-33397

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it...

8.5CVSS5.8AI score0.02589EPSS

Exploits0References1

Cvelist•added 2026/05/27 7:45 a.m.•22 views

CVE-2026-3001 Gutenverse <= 3.4.6 - Reflected Cross-Site Scripting via 's' Parameter

The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the rendercontent method in class-search-result-title.php outputs the val...

6.1CVSS0.00089EPSS

Exploits0References3

CVE•added 2026/05/27 7:45 a.m.•8 views

CVE-2026-3001

The CWE: CVE-2026-3001 affects the Gutenverse WordPress plugin, up to version 3.4.6. The vulnerability is a Reflected Cross-Site Scripting (XSS) in the search title block: render_content() echoes get_query_var('s') directly into HTML without escaping, enabling an attacker to craft a URL that inje...

6.1CVSS6AI score0.00089EPSS

Exploits0References3

ATTACKERKB•added 2026/05/27 7:45 a.m.•5 views

CVE-2026-3001

6.1CVSS6AI score0.00089EPSS

Exploits0References4

EUVD•added 2026/05/27 7:45 a.m.•5 views

EUVD-2026-32114

6.1CVSS6AI score0.00089EPSS

Exploits0References3

ATTACKERKB•added 2026/05/15 6:36 p.m.•1 views

CVE-2026-46361

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection. Attackers with FAQ editor privileges can inject HTML-entity-encoded payloads that bypass...

6.9CVSS5.8AI score0.00011EPSS

Exploits0References3

OSV•added 2026/05/06 8:31 p.m.•0 views

GHSA-PQH6-8FXF-JX22 phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering

Summary The search result rendering template search.twig outputs FAQ content fields result.question and result.answerPreview using Twig's | raw filter, which completely disables the template engine's built-in auto-escaping. A user with FAQ editor/contributor privileges can store a payload encoded...

6.9CVSS5.9AI score

Exploits0References2

EUVD•added 2026/05/02 11:16 a.m.•1 views

EUVD-2026-26779

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'mapposttype' parameter in all versions up to, and including, 1.13.18. This is due to the SearchResults hook explicitly calling stripslashesdeep$POST which removes WordPress magic quotes protection, followed by...

7.5CVSS5.9AI score0.00098EPSS

Exploits0References5

EUVD•added 2026/04/23 6:30 p.m.•2 views

EUVD-2026-25273

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields which includes an...

8.7CVSS5.8AI score0.00044EPSS

Exploits0References1

Positive Technologies•added 2026/04/18 12:0 a.m.•0 views

PT-2026-34723

Name of the Vulnerable Software and Affected Versions pretalx versions prior to 2026.1.0 Description The organiser search in the backend renders submission titles, speaker display names, and user names or emails into the result dropdown using innerHTML string interpolation. This allows a user who...

8.7CVSS5.8AI score0.00044EPSS

Exploits0References11

HackRead•added 2026/04/16 10:42 a.m.•2 views

Researchers Say Fiverr Left User Files Open to Google Search

Private Fiverr user documents, including tax records and IDs, were reportedly found in Google search results due to a storage configuration issue. Read more about the findings and the company’s response to the data exposure...

5.7AI score

Exploits0

RedhatCVE•added 2026/03/26 3:7 p.m.•2 views

CVE-2026-31841

Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL queries, exposing statements which were...

6.5CVSS5.7AI score0.00043EPSS

Exploits0References1

OSV•added 2026/03/12 5:3 p.m.•1 views

CVE-2026-31841 Raw exposure of database statements in Hyperterse MCP search tool

6.5CVSS5.8AI score0.00043EPSS

Exploits0References4

RedhatCVE•added 2026/03/10 2:8 p.m.•0 views

CVE-2025-40638

A reflected Cross-Site Scripting XSS vulnerability has been found in Eventobot. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the 'name' parameter in '/search-results'. This vulnerability can be exploited to steal...

6.1CVSS5.8AI score0.00013EPSS

Exploits0References1

EUVD•added 2026/03/09 12:31 p.m.•1 views

EUVD-2025-208398

5.1CVSS5.8AI score0.00013EPSS

Exploits0References2

EUVD•added 2026/03/09 12:31 p.m.•1 views

EUVD-2025-208397

5.1CVSS5.8AI score0.00013EPSS

Exploits0References2