CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

97 matches found

Vulnrichment•added 2026/03/03 10:16 p.m.•5 views

CVE-2026-26266 AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering

AliasVault is a privacy-first password manager with built-in email aliasing. A stored cross-site scripting XSS vulnerability was identified in the email rendering feature of AliasVault Web Client versions 0.25.3 and lower. When viewing received emails on an alias, the HTML content is rendered in ...

9.3CVSS5.8AI score0.00239EPSS

Exploits0References3

CVE•added 2026/03/03 10:16 p.m.•12 views

CVE-2026-26266

AliasVault Web Client versions ≤ 0.25.3 are affected by a stored XSS in the email rendering feature. HTML content of emails viewed in an alias is rendered in an iframe via srcdoc, which lacks origin isolation, allowing a crafted email containing JavaScript to execute in the application's origin w...

9.3CVSS5.8AI score0.00239EPSS

Exploits0References3Affected Software1

ATTACKERKB•added 2026/03/03 10:16 p.m.•5 views

CVE-2026-26266

9.3CVSS5.8AI score0.00239EPSS

Exploits0References4Affected Software1

EUVD•added 2026/03/03 10:16 p.m.•6 views

EUVD-2026-9332

9.3CVSS5.8AI score0.00239EPSS

Exploits0References3

OSV•added 2026/03/03 10:16 p.m.•2 views

CVE-2026-26266 AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering

9.3CVSS5.8AI score0.00239EPSS

Exploits0References5

CNNVD•added 2026/03/03 12:0 a.m.•3 views

AliasVault 跨站脚本漏洞

AliasVault is an open-source password manager developed by AliasVault. Versions of AliasVault prior to 0.25.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the email rendering feature, where HTML content was rendered using srcdoc within an iframe without proper...

9.3CVSS5.6AI score0.00239EPSS

Exploits0References3

RedhatCVE•added 2025/11/14 10:1 p.m.•8 views

CVE-2025-64747

Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting XSS vulnerability exists in versions prior to 11.13.0 that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface...

5.5CVSS6AI score0.0021EPSS

Exploits1References1

EUVD•added 2025/11/14 9:45 p.m.•3 views

EUVD-2025-177203

Directus is Vulnerable to Stored Cross-site Scripting...

5.5CVSS5.8AI score0.0021EPSS

Exploits1References3

Github Security Blog•added 2025/11/14 9:45 p.m.•8 views

Directus is Vulnerable to Stored Cross-site Scripting

Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...

5.5CVSS5.8AI score0.0021EPSS

Exploits1References4Affected Software1

OSV•added 2025/11/14 9:45 p.m.•4 views

GHSA-VV2V-PW69-8CRF Directus is Vulnerable to Stored Cross-site Scripting

5.5CVSS5.7AI score0.0021EPSS

Exploits1References4

Snyk•added 2025/11/13 9:58 p.m.•2 views

Cross-site Scripting (XSS)

Overview @directus/app is an App dashboard for Directus Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Block Editor interface when users with upload files and edit item permissions inject malicious JavaScript. An attacker can execute arbitrary scripts in the...

5.5CVSS5.4AI score0.0021EPSS

Exploits1References2

Vulnrichment•added 2025/11/13 9:13 p.m.•2 views

CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting

5.5CVSS5.5AI score0.0021EPSS

Exploits1References2

Cvelist•added 2025/11/13 9:13 p.m.•8 views

CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting

5.5CVSS0.0021EPSS

Exploits1References2

OSV•added 2025/11/13 9:13 p.m.•4 views

CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting

5.5CVSS5.9AI score0.0021EPSS

Exploits1References4

Cvelist•added 2025/08/19 4:32 p.m.•7 views

CVE-2025-52478 Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

n8n is a workflow automation platform. From 1.77.0 to before 1.98.2, a stored Cross-Site Scripting XSS vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes...

8.7CVSS0.00347EPSS

Exploits0References3

OSV•added 2025/08/19 4:32 p.m.•4 views

CVE-2025-52478 Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

8.7CVSS5.6AI score0.00347EPSS

Exploits0References5

Github Security Blog•added 2025/08/19 3:33 p.m.•11 views

Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

Impact A stored Cross-Site Scripting XSS vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject...

8.7CVSS5.8AI score0.00347EPSS

Exploits0References5Affected Software1

OSV•added 2025/08/19 3:33 p.m.•3 views

GHSA-HFMV-HHH3-43F2 Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

8.7CVSS6.3AI score0.00347EPSS

Exploits0References5

Tenable Nessus•added 2025/08/07 12:0 a.m.•3 views

Linux Distros Unpatched Vulnerability : CVE-2017-7788

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not inherit the containing page's Content Security Policy CS...

9.8CVSS7.2AI score0.02336EPSS

Exploits1References2

Cvelist•added 2025/06/04 7:59 p.m.•13 views

CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...

6.7CVSS0.00378EPSS

Exploits1References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by