CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

2894 matches found

WP Pricing Table - Reflected XSS

WP Pricing Table WordPress plugin = 1.1 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute scripts in the context of high privilege users, exploit requires attacker to craft malicious URL. id: CVE-2024-13628 info: name: WP Pricing Table -...

6.1CVSS8.1AI score0.00641EPSS

Exploits1References1

Nuclei•added yesterday•10 views

Post Sync Plugin <= 1.1 - Cross-Site Scripting

Post Sync WordPress plugin = 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a maliciou...

6.1CVSS8.1AI score0.0061EPSS

Exploits1References2

Nuclei•added yesterday•9 views

WP BASE Booking - Reflected XSS

WP BASE Booking of Appointments, Services and Events WordPress plugin 5.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to...

6.1CVSS8.1AI score0.00578EPSS

Exploits1References1

Nuclei•added yesterday•12 views

RiteCMS 3.0.0 - Cross-site Scripting

RiteCMS v3.0.0 contains a reflected XSS caused by unsanitized input in the mainmenu/editsection component, letting attackers execute arbitrary scripts in the context of the victim's browser. id: CVE-2024-28623 info: name: RiteCMS 3.0.0 - Cross-site Scripting author: 0xAkoko severity: medium...

6.1CVSS5.5AI score0.01317EPSS

Exploits4References2

Nuclei•added yesterday•9 views

WordPress User Messages <= 1.2.4 - Reflected XSS

WordPress User Messages plugin = 1.2.4 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires victim to load a...

6.1CVSS8.1AI score0.00561EPSS

Exploits1References2

Nuclei•added yesterday•8 views

Cloudlog - SQL Injection

Cloudlog 2.6.15 contains a SQL injection caused by unsanitized input in oqrs.php requestform, letting attackers execute arbitrary SQL commands via stationid or callsign, exploit requires sending crafted request. id: CVE-2024-48259 info: name: Cloudlog - SQL Injection author: s4e-io severity: high...

7.3CVSS6AI score0.00863EPSS

Exploits1References3

Nuclei•added yesterday•11 views

Glossy WordPress - Reflected XSS

Glossy WordPress plugin v2.3.5 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to click a malicious link. id: CVE-2024-13325 info: name: Glossy WordPress -...

6.1CVSS8.1AI score0.00561EPSS

Exploits1References1

Nuclei•added yesterday•13 views

Web-Check < 2.0.1 Screenshot API - OS Command Injection

Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters. id: CVE-2025-32778 info: name: Web-Check 2.0.1 Screenshot API - OS Command Injection author:...

9.3CVSS5.6AI score0.19976EPSS

Exploits4References4

Nuclei•added yesterday•14 views

GestioIP - Reflected Cross-Site Scripting

GestioIP v3.5.7 contains a reflected cross-site scripting caused by unsanitized input in the ipdojob request, letting attackers execute scripts in the victim's browser, exploit requires specific user permissions. id: CVE-2024-50857 info: name: GestioIP - Reflected Cross-Site Scripting author:...

4.8CVSS5AI score0.01172EPSS

Exploits3References4

Nuclei•added yesterday•20 views

Nevma Adaptive Images - Arbitrary File Deletion

Nevma Adaptive Images plugin before 0.6.67 for WordPress contains an arbitrary file deletion caused by unsanitized input in adaptive-images-script.php, letting remote attackers delete arbitrary files, exploit requires sending specific request parameters. id: CVE-2019-14206 info: name: Nevma...

7.5CVSS7.9AI score0.04767EPSS

Exploits2References6

Nuclei•added yesterday•9 views

phpLDAPadmin <= 1.2.3 - Reflected XSS

phpLDAPadmin = 1.2.3 contains a reflected cross-site scripting caused by unsanitized input in htdocs/entrychooser.php via the form, element, rdn, or container parameter, letting attackers execute malicious scripts in victim browsers, exploit requires sending crafted input. id: CVE-2017-11107 info...

6.1CVSS5.9AI score0.02069EPSS

Exploits1References3

Cvelist•added 2 days ago•28 views

CVE-2026-49294 Valhalla has reflected XSS via unsanitized JSONP callback parameter

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting XSS due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, t...

6.1CVSS0.00149EPSS

Exploits0References1

NVD•added 2 days ago•8 views

CVE-2016-20071

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloa...

8.8CVSS0.00302EPSS

Exploits0References3

CVE•added 2 days ago•5 views

CVE-2016-20071

The CVE concerns the WordPress plugin 404 Redirection Manager (version 1.0) for which an unauthenticated SQL injection is described. The vulnerability allows remote attackers to influence database queries and potentially extract sensitive data by sending crafted, unsanitized input via HTTP GET re...

8.8CVSS6.2AI score0.00302EPSS

Exploits0References3

EUVD•added 4 days ago•8 views

EUVD-2026-36643

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks...

5.3AI score0.00154EPSS

Exploits0References1

Cvelist•added 5 days ago•25 views

CVE-2026-53608 @apostrophecms/seo Vulnerable to Stored XSS via Unsanitized Google Analytics / GTM ID Injected into Script Tag

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the @apostrophecms/seo package injects the Google Analytics Tracking ID seoGoogleTrackingId and Google Tag Manager ID seoGoogleTagManager directly into tag bodies using JavaScript template...

8.7CVSS0.00199EPSS

Exploits0References1

Cvelist•added 5 days ago•27 views

CVE-2026-42853 @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command...

6.5CVSS0.00428EPSS

Exploits0References1

CVE•added 5 days ago•14 views

CVE-2026-42853

Vulnerability: CVE-2026-42853 affects ApostropheCMS CLI (@apostrophecms/cli) versions up to 3.6.0. Description: command injection in the apos create flow caused by embedding unsanitized password-prompt input directly into a shell command, enabling arbitrary command execution on the host. Root cau...

6.5CVSS5.8AI score0.00428EPSS

Exploits0References1

Cvelist•added 5 days ago•26 views

CVE-2026-54057 Kitty vulnerable to command injection via unsanitized OSC 21 query reply

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

7.3CVSS0.00128EPSS

Exploits1References1

CVE•added 5 days ago•7 views

CVE-2026-54057

Kitty (cross-platform GPU-based terminal) is affected in versions prior to 0.47.3. The issue arises in the OSC 21 (color-control) query reply, which may reflect attacker-controlled bytes—including newlines—into the shell input without sanitization. This can enable local command injection or input...

7.8CVSS5.3AI score0.00128EPSS

Exploits1References1Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by