Lucene search
K

3318 matches found

NVD
NVD
added 3 days ago7 views

CVE-2026-15010

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsptopicfieldsformsave which writes $POST'bsptopicfieldslabeln' directly to...

6.4CVSS0.00208EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43165

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsptopicfieldsformsave which writes $POST'bsptopicfieldslabeln' directly to...

6.4CVSS6.2AI score0.00208EPSS
Exploits0References4
CVE
CVE
added 3 days ago16 views

CVE-2026-15010

The CVE-2026-15010 entry concerns the bbp Style Pack plugin for WordPress, vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 6.4.5 via the Topic Form Additional Fields feature. Root causes are insufficient input sanitization in bsp_topic_fields_form_save(), which wri...

6.4CVSS6.2AI score0.00208EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago30 views

CVE-2026-15010 bbp style pack <= 6.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Topic Form Additional Fields

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsptopicfieldsformsave which writes $POST'bsptopicfieldslabeln' directly to...

6.4CVSS0.00208EPSS
Exploits0References4
NVD
NVD
added 4 days ago5 views

CVE-2026-55890

Grav is a file-based Web platform. Prior to 2.0.0-rc.9, Grav's incomplete fix for stored XSS through the Markdown media attribute action CVE-2026-42841 leaves the sibling MediaObjectTrait::style method reachable through the same Markdown excerpt-action pipeline, allowing an editor to save Markdow...

4.8CVSS0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-55890 Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style()

Grav is a file-based Web platform. Prior to 2.0.0-rc.9, Grav's incomplete fix for stored XSS through the Markdown media attribute action CVE-2026-42841 leaves the sibling MediaObjectTrait::style method reachable through the same Markdown excerpt-action pipeline, allowing an editor to save Markdow...

4.8CVSS0.00187EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42946

Grav is a file-based Web platform. Prior to 2.0.0-rc.9, Grav's incomplete fix for stored XSS through the Markdown media attribute action CVE-2026-42841 leaves the sibling MediaObjectTrait::style method reachable through the same Markdown excerpt-action pipeline, allowing an editor to save Markdow...

4.8CVSS6.1AI score0.00187EPSS
Exploits0References3
CVE
CVE
added 4 days ago16 views

CVE-2026-55890

Grav CVE-2026-55890 concerns stored CSS injection via Markdown image style parameters that reach MediaObjectTrait::style(). The incomplete patch from GHSA-r7fx-8g49-7hhr fixed attribute() (denying dangerous attribute names) but leaves the sibling style() sink unmitigated, allowing editor-supplied...

4.8CVSS6.1AI score0.00187EPSS
Exploits0References3
CVE
CVE
added 4 days ago34 views

CVE-2026-59791

The CVE-2026-59791 affects JetBrains YouTrack prior to version 2026.2.17012, where CSS injection was possible through Mermaid diagram rendering. According to the available sources, the vulnerability is tied to the Mermaid diagram rendering component and could impact user interface rendering, with...

3.5CVSS6.1AI score0.00135EPSS
Exploits0References1Affected Software1
CVE
CVE
added 4 days ago10 views

CVE-2026-15299

CVE-2026-15299 : The Animation Addons for Elementor WordPress plugin is vulnerable to Stored Cross-Site Scripting in all versions up to 2.6.3 via the Weather widget’s weather_style and move_direction parameters. The root cause is insufficient output escaping in Weather widget render() (widgets/we...

6.4CVSS6AI score0.00193EPSS
Exploits0References4
NVD
NVD
added 6 days ago9 views

CVE-2026-58657

Grav before 2.0.0 affected through 2.0.0-rc.9 and the 2.0 branch contains a stored CSS injection vulnerability in the Markdown image resize media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute fallbacks, but the resize action in Excerpts::processMediaActions...

4.8CVSS0.00217EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42267

Grav before 2.0.0 affected through 2.0.0-rc.9 and the 2.0 branch contains a stored CSS injection vulnerability in the Markdown image resize media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute fallbacks, but the resize action in Excerpts::processMediaActions...

4.8CVSS6.1AI score0.00217EPSS
Exploits0References4
CVE
CVE
added 6 days ago12 views

CVE-2026-58657

Grav before 2.0.0 (through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection in the Markdown image resize() action. In Excerpts::processMediaActions(), the resize() path writes caller-controlled values directly into the image’s styleAttributes. A low-priv content editor who can edit ...

4.8CVSS6.1AI score0.00217EPSS
Exploits0References4
OSV
OSV
added 2026/07/02 9:22 p.m.8 views

MAL-2026-6735 Malicious code in ue-python-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 66a6d9d874ce102a9ac674f8f713472a473007dc3d51adb869c5198afc708751 On import uepythontools, the package spawns a background thread that issues an HTTP POST to http://109.123.247.172/pypi carrying a JSON payload...

6.3AI score
Exploits0References2
OSV
OSV
added 2026/07/02 9:22 p.m.4 views

MAL-2026-6736 Malicious code in unreal-mladapter (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 126bf3493d123333b47fba2ed68e30c085c8266dfb4d16923a81e9ee094f4780 The package name unreal-mladapter mimics Epic Games' internal UnrealMLAdapter plugin and is published at version 99999.0.0 — the canonical high-versi...

6.2AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/07/02 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-13601

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Yelp due to an overly permissive Content Security Policy CSP implementation provided by yelp-xsl. A malicious Flatpak application can open...

7.1CVSS6AI score0.0012EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/01 2:38 p.m.6 views

CVE-2025-15646

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the element was added to libgumbo 0.10.0 in 2015, but the walktree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen over-reads the heap...

9.8CVSS5.8AI score0.00663EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40832

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Low...

6AI score0.00154EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.4 views

EUVD-2026-40835

Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: Low...

5.8AI score0.00221EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.6 views

EUVD-2026-40833

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...

5.8AI score0.00264EPSS
Exploits0References3
Rows per page
Query Builder