Lucene search
K

78 matches found

NVD
NVD
added 5 days ago7 views

CVE-2026-10083

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input e.g. a transient nam...

7.5CVSS0.00204EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-10083

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input e.g. a transient nam...

6AI score0.00204EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/25 6:2 p.m.30 views

CVE-2026-46606 Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine glances/plugins/vms/engines/virsh.py passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by securepopen...

7.8CVSS0.00213EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.13 views

PT-2026-47686

Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec method by cloneWithGit and fetchRefs functions. An attacker can execute arbitrary operating syst...

8.8CVSS5.9AI score0.01057EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/05 2:49 p.m.6 views

CVE-2026-9270

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The sendstats method does not remove newlines from metric names $stat variable, allowing attackers to change t...

5.5AI score0.00331EPSS
Exploits0References4
OSV
OSV
added 2026/05/21 9:21 p.m.7 views

GHSA-4J38-F5CW-54H7 Twig: The `spaceless` filter implicitly marks its output as safe

Description The spaceless filter is registered with issafe = 'html', which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw...

5.3CVSS5.7AI score0.00056EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.10 views

PT-2026-42594

Description The spaceless filter is registered with is safe = 'html', which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw...

5.3CVSS5.7AI score0.00056EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/08 3:38 p.m.41 views

CVE-2026-41693 i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

8.2CVSS0.00292EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/22 5:43 p.m.14 views

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Summary Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled inpu...

8.2CVSS5.8AI score0.00292EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.4 views

PT-2026-29341

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field...

7.6CVSS5.8AI score0.00245EPSS
Exploits1References5
Snyk
Snyk
added 2026/01/08 4:2 a.m.3 views

Regular Expression Denial of Service (ReDoS)

Overview diff is a javascript text differencing implementation. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the parsePatch and applyPatch functions if the user input passed without sanitisation. An attacker can cause the process to enter an...

7.5CVSS5.5AI score0.00562EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/02 6:0 a.m.4 views

CVE-2025-13456 Shopbuilder < 3.2.2 - Reflected XSS

The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

5.7AI score0.00198EPSS
Exploits0References1
NVD
NVD
added 2025/12/30 6:15 a.m.5 views

CVE-2025-14313

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.1CVSS0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/12/09 6:0 a.m.32 views

CVE-2025-13071 Custom Admin Menu <= 1.0.0 - Reflected XSS

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

0.00186EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/11/24 6:0 a.m.9 views

CVE-2024-14015 Studiocart <= 2.9.0 - Reflected XSS

The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

0.00368EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2021-11311

Malware in sbrugna...

7.2CVSS6.9AI score0.01467EPSS
Exploits2References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-20435

Malware in sbrugna...

6.1CVSS6.3AI score0.01218EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-54911

Malicious code in bioql PyPI...

6.1CVSS6.6AI score0.00229EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2021-28249

Malicious code in bioql PyPI...

7.5CVSS7.6AI score0.0112EPSS
Exploits0References3
NVD
NVD
added 2025/10/02 6:15 a.m.3 views

CVE-2025-9587

The CTL Behance Importer Lite WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

8.6CVSS0.00312EPSS
Exploits0References1
Rows per page
Query Builder