CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 4 hours ago•6 views

CVE-2026-56304 picklescan - Arbitrary File Creation via logging.FileHandler Deserialization

6.9CVSS

CVE•added 4 hours ago•6 views

CVE-2026-56304

CVE-2026-56304 affects picklescan versions before 1.0.1. The flaw is an unsafe pickle deserialization through the logging.FileHandler class, allowing unauthenticated attackers to craft malicious pickle payloads to create arbitrary zero-byte files. This can bypass RCE blocklists and lead to filesy...

6.9CVSS6AI score

ATTACKERKB•added 4 hours ago•3 views

CVE-2026-56304

6.9CVSS6AI score

Exploits0References3

EUVD•added 4 hours ago•6 views

EUVD-2026-38123

6.9CVSS6AI score

OSSF Malicious Packages•added 6 hours ago•6 views

Malicious code in atlasora-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092 The package declares a postinstall hook in package.json "postinstall": "node install.js" that auto-executes install.js on every npm install. install....

OSV•added 6 hours ago•3 views

MAL-2026-6239 Malicious code in atlasora-config (npm)

OSSF Malicious Packages•added 6 hours ago•5 views

Malicious code in atlasora-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1bd49976f774ef8357d29c74bc366b851e69a611cc5894f1a59621d91f9daba package.json declares "postinstall": "node install.js", causing install.js to run automatically on npm install. install.js requires https, fs, os, an...

OSV•added 6 hours ago•3 views

MAL-2026-6241 Malicious code in atlasora-shared (npm)

OSSF Malicious Packages•added 6 hours ago•5 views

Malicious code in atlasora-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92 Package declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js imports https, fs,...

OSV•added 6 hours ago•3 views

MAL-2026-6237 Malicious code in atlasora-api (npm)

OSSF Malicious Packages•added 6 hours ago•4 views

Malicious code in atlasora-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd4392d81da887d2d7da24519df3a7d9341ee45e1fc091a724c4f5ede766ae5 package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and childprocess;...

OSV•added 6 hours ago•4 views

MAL-2026-6238 Malicious code in atlasora-client (npm)

Nuclei•added 16 hours ago•7 views

Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauthenticated Arbitrary File Read

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to and including 1.7.1 via the templateredirect function. The plugin registers 'hippooserve' as a WordPress query variable and uses it to serve PWA files from the pwa/ directory. In...

7.5CVSS6AI score0.01974EPSS

Exploits0References3

Nuclei•added 16 hours ago•5 views

Langflow <= 1.8.4 - Path Traversal to RCE via File Upload

The application contains a path traversal vulnerability caused by unsanitized 'filename' parameter in the 'POST /api/v2/files' multipart form data, letting attackers write files to arbitrary filesystem locations, exploit requires crafted request. id: CVE-2026-5027 info: name: Langflow = 1.8.4 -...

8.8CVSS6.2AI score0.02289EPSS

Exploits4References3

Nuclei•added 16 hours ago•63 views

Vanna - SQL injection

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

9.8CVSS7.6AI score0.03452EPSS

Exploits0References4

Nuclei•added 16 hours ago•428 views

Revive Adserver 4.2 - Remote Code Execution

Revive Adserver 4.2 is susceptible to remote code execution. An attacker can send a crafted payload to the XML-RPC invocation script and trigger the unserialize call on the "what" parameter in the "openads.spc" RPC method. This can be exploited to perform various types of attacks, e.g...

9.8CVSS7.5AI score0.57022EPSS

Exploits7References5

Nuclei•added 16 hours ago•16 views

Homematic CCU3 - Local File Inclusion

eQ-3 AG Homematic CCU3 3.43.15 and earlier allows remote attackers to read arbitrary files of the device's filesystem, aka local file inclusion. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. id: CVE-2019-9726 info: name: Homematic CCU3 - Local...

7.5CVSS7.3AI score0.15732EPSS

Exploits1References3

Nuclei•added 16 hours ago•29 views

Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

6.3CVSS5.9AI score0.00914EPSS

Exploits1References3

Nuclei•added 16 hours ago•16 views

Apache OFBiz - XML External Entity Injection

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figur...

7.5CVSS7.1AI score0.1591EPSS