CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/05/20 12:16 a.m.•7 views

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

5.5CVSS0.00005EPSS

OSSF Malicious Packages•added 2026/05/20 12:0 a.m.•4 views

Malicious code in ethers-multicall-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748 On npm install, the package's postinstall script spawns node -e to run an inline childprocess.execSync that curls a binary from...

OSV•added 2026/05/20 12:0 a.m.•3 views

MAL-2026-4240 Malicious code in ethers-multicall-utils (npm)

CNNVD•added 2026/05/20 12:0 a.m.•8 views

Nimiq 安全漏洞

Nimiq is an open-source implementation of the Albatross protocol in Rust. Versions of Nimiq 1.3.0 and earlier contain security vulnerabilities. These vulnerabilities stem from malicious network peer nodes publishing specially crafted Kademlia DHT records where the length of the signature field is...

7.5CVSS5.8AI score0.00026EPSS

CVE•added 2026/05/19 11:54 p.m.•13 views

CVE-2026-39309

CVE-2026-39309 affects Trilium Notes before v0.102.2. The Electron configuration allows a RunAsNode fuse to launch the app in a special Node.js mode (-e) that can execute arbitrary commands with Trilium’s permissions, enabling a local attacker to spoof macOS TCC prompts. An attacker could trigger...

5.5CVSS6.1AI score0.00005EPSS

OSSF Malicious Packages•added 2026/05/19 11:48 p.m.•7 views

Malicious code in to-cms (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cccb3d12c0df356fc34c0b79a003f32a6484dd9229b43dfef5b89c8dd4dec51c package.json declares postinstall: node index.js. On npm install, index.js unconditionally HTTPS-GETs https://meet-fr.com/ChromeSetup.exe, writes it ...

NVD•added 2026/05/19 11:16 p.m.•7 views

Exploits0References3

CVE-2026-8491

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1...

3.7CVSS0.00037EPSS

ATTACKERKB•added 2026/05/19 10:28 p.m.•5 views

CVE-2026-8491

5.8AI score0.00037EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/19 10:28 p.m.•5 views

CVE-2026-8491 Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

5.8AI score0.00037EPSS

Cvelist•added 2026/05/19 10:28 p.m.•30 views

CVE-2026-8491 Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

0.00037EPSS

CVE•added 2026/05/19 10:28 p.m.•11 views

CVE-2026-8491

CVE-2026-8491 involves an improper check in the Drupal Node View Permissions module that permits forceful browsing. Affected are Node View Permissions 0.0.0–1.6.x and 2.0.0–2.0.0, where cancelled users’ content reassigned to anonymous users could be exposed. Remediation: upgrade to 1.7.0 (for 0.0...

3.7CVSS5.8AI score0.00037EPSS

Exploits0References1Affected Software1

OSV•added 2026/05/19 9:55 p.m.•5 views

MAL-2026-4177 Malicious code in did-0091 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a50f30be232b343bc9dff677d6c208f16fff861009dccc9f76409d37264205b On npm install, the package's postinstall script runs node -e to fetch the installer's public IP from api.ipify.org, execute id || ver && whoami &&...

OSV•added 2026/05/19 8:10 p.m.•4 views

GHSA-73JC-5MRQ-PRW7 SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser

Impact In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. Patches Versions 4.2.0 and up contain a configurable parse node...

7.5CVSS5.8AI score0.0004EPSS

Exploits0References3

OSV•added 2026/05/19 7:11 p.m.•3 views

MAL-2026-4175 Malicious code in collected-forms-embed-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b110466fd12f426709ec7f628f63304d175faddb8094d08e8448388ed3114805 The package.json declares a postinstall lifecycle hook that performs reconnaissance and exfiltration on every install. The script invokes childproces...

OSV•added 2026/05/19 7:8 p.m.•14 views

MAL-2026-4700 Malicious code in venturo-playwright (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 602d8b957dc823f0dd6ac61f115e23fce1b433683873a9f4f8351dcbe9a37035 Package presents itself as Microsoft's Playwright: package.json description 'A high-level API to automate web browsers' is Playwright's exact tagline...

OSV•added 2026/05/19 7:7 p.m.•4 views

MAL-2026-4362 Malicious code in @arbocollab/arbo-web-people (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3f007c3da95aa64e4c2ed5b51b736900ddc444499f2f678d749603fab516a0c3 The published tarball ships npmjs.npmrc containing a live npm-prefixed authToken for registry.npmjs.org scoped to @arbocollab. package.json declares...

OSSF Malicious Packages•added 2026/05/19 7:7 p.m.•7 views

Exploits0References6

Malicious code in @arbocollab/arbo-web-people (npm)