CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/05/07 6:43 p.m.•6 views

CVE-2026-41653

BentoPDF (self-hosted client-side PDF toolkit) had a cross-site scripting vulnerability in the Markdown to PDF Tool prior to version 2.8.3. An attacker may be able to execute arbitrary JavaScript in certain circumstances. The issue has been patched in version 2.8.3. No exploitation details are pr...

7CVSS5.8AI score0.00067EPSS

Vulnrichment•added 2026/05/07 6:43 p.m.•6 views

CVE-2026-41653 BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration

7CVSS5.8AI score0.00067EPSS

Cvelist•added 2026/05/07 6:43 p.m.•29 views

CVE-2026-41653 BentoPDF: Stored XSS via Markdown Editor Leading to Persistent File Exfiltration

7CVSS0.00067EPSS

Positive Technologies•added 2026/05/07 12:0 a.m.•8 views

PT-2026-38546

Name of the Vulnerable Software and Affected Versions BentoPDF versions prior to 2.8.3 Description BentoPDF is a self-hostable client-side PDF toolkit. A cross-site scripting issue exists in the Markdown to PDF Tool, which allows an attacker to execute arbitrary JavaScript under certain...

7CVSS5.9AI score0.00067EPSS

Exploits0References6

OSV•added 2026/03/26 8:16 p.m.•4 views

UBUNTU-CVE-2026-33532

yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a...

4.3CVSS6AI score0.00025EPSS

Exploits1References6

Snyk•added 2026/03/25 8:8 p.m.•2 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the compose/resolve phase due to using recursive function calls without a depth bound. An attacker can cause the application to throw a RangeError and potentially terminate the Node.js process by supplying a...

6.5CVSS5.9AI score0.00025EPSS

Exploits1References2

NVD•added 2026/03/20 7:16 p.m.•1 views

CVE-2026-32318

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Befo...

7.6CVSS0.00016EPSS

Vulnrichment•added 2026/02/06 6:46 a.m.•3 views

CVE-2026-1909 WaveSurfer-WP <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute

The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers,...

6.4CVSS5.6AI score0.00016EPSS

EUVD•added 2026/02/06 6:46 a.m.•4 views

EUVD-2026-5612

6.4CVSS5.6AI score0.00016EPSS

CNNVD•added 2026/02/06 12:0 a.m.•3 views

WordPress plugin WaveSurfer-WP 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.4CVSS5.7AI score0.00016EPSS

EUVD•added 2026/02/04 9:26 p.m.•4 views

EUVD-2026-5336

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing...

9.8CVSS5.7AI score0.00049EPSS

Exploits1References5

Positive Technologies•added 2026/02/03 12:0 a.m.•4 views

PT-2026-6313

Name of the Vulnerable Software and Affected Versions JinJava versions prior to 2.7.6 JinJava versions prior to 2.8.3 Description JinJava is a Java-based template engine that uses django template syntax to render jinja templates. A flaw exists in the ForTag component that allows for arbitrary Jav...

10CVSS5.7AI score0.00049EPSS

Exploits1References19

NVD•added 2026/01/22 5:16 p.m.•1 views

CVE-2025-68015

Improper Control of Generation of Code 'Code Injection' vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through = 2.8.5...

9CVSS0.00092EPSS

CVE•added 2026/01/22 4:52 p.m.•10 views

CVE-2025-68015

CVE-2025-68015 — WordPress Event Tickets with Ticket Scanner is a code injection vulnerability in Vollstart Event Tickets with Ticket Scanner. Public sources in the Connected set confirm the issue affects Event Tickets with Ticket Scanner, specifically versions up to and including 2.8.3 (n/a thro...

9CVSS5.9AI score0.00092EPSS

ATTACKERKB•added 2026/01/22 4:52 p.m.•7 views

CVE-2025-68015

9CVSS5.4AI score0.00092EPSS

CNNVD•added 2026/01/22 12:0 a.m.•2 views

WordPress Plugin Event Tickets with Ticket Scanner: Code Injection Vulnerability

9CVSS5.9AI score0.00092EPSS

RedhatCVE•added 2026/01/09 11:14 a.m.•4 views

CVE-2016-10513

Cross Site Scripting XSS exists in Piwigo before 2.8.3 via a crafted search expression to include/functionssearch.inc.php...

6.1CVSS5.9AI score0.00362EPSS

RedhatCVE•added 2026/01/09 9:50 a.m.•5 views

CVE-2020-24627

A remote stored xss vulnerability was discovered in HPE KVM IP Console Switches versions: G2 4x1Ex32 Prior to 2.8.3...

5.4CVSS6.7AI score0.00343EPSS

RedhatCVE•added 2026/01/07 9:16 a.m.•11 views

CVE-2025-1802

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘markertitle’, 'notificationcontent', and 'sttbuttontext' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This...

6.4CVSS6AI score0.00251EPSS