CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/06/16 3:30 a.m.•28 views

CVE-2026-6964 Video Conferencing with Zoom <= 4.6.7 - Missing Authorization to Unauthenticated Zoom SDK Credential Exposure via 'get_auth' AJAX Action

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain...

5.3CVSS0.00323EPSS

Exploits0References8

NVD•added 2026/06/02 9:16 a.m.•15 views

CVE-2026-9722

The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageFields function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS0.00131EPSS

Exploits0References4

EUVD•added 2026/05/26 9:34 p.m.•11 views

EUVD-2026-32014

The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the...

CVE•added 2026/05/26 9:34 p.m.•17 views

CVE-2026-44213

The CVE affects the OpenTelemetry.Exporter.Instana NuGet package. Before version 1.1.0, when INSTANA_ENDPOINT_PROXY is set, the Transport.ConfigureBackendClient() code creates an HttpClient that disables TLS certificate validation, allowing a network attacker to perform a MitM on the proxy and re...

ATTACKERKB•added 2026/05/26 9:34 p.m.•7 views

CVE-2026-44213

Exploits0References2Affected Software1

OSV•added 2026/05/26 12:35 a.m.•6 views

MAL-2026-4454 Malicious code in @taskd/maritime-email-processor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150 The package's sole exported function emailProcessor in dist/index.mjs POSTs to a hardcoded endpoint https://job-api.alex-c92.workers.dev, sending the...

5.8AI score

OSSF Malicious Packages•added 2026/05/20 10:11 p.m.•8 views

Malicious code in @jemavidev/betteragents-pi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd The package brands itself as an OpenRouter LLM extension and instructs users to obtain a key with the canonical sk-or-v1- prefix from...

5.8AI score

Exploits0References8

OSSF Malicious Packages•added 2026/05/20 2:6 a.m.•9 views

Malicious code in cloud-pc-templates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 044178c5b07f16ba0681f534724c7bcac3c8f39832484c7a3ac51d43a69cd803 The ai login CLI subcommands loginMode huggingface, ollamacloud, ollamalocal each download a proxy script from a mutable refs/heads/main branch of a...

5.9AI score

OSSF Malicious Packages•added 2026/05/14 6:32 p.m.•10 views

Malicious code in @aiscene/aiserver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5afe7de709fb18909451ff49a02f133f248fb0dc0688709251c924038effc6dc On load, dist/index.js unconditionally instantiates new AIServer and calls server.start at module top level no require.main === module guard, so simp...

6.4AI score

Exploits0References6

SUSE CVE•added 2026/05/14 3:1 a.m.•10 views

SUSE CVE-2026-41487

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

5.4CVSS5.7AI score0.00181EPSS

EUVD•added 2026/05/11 6:31 p.m.•10 views

EUVD-2026-29137

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAXAPIHOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers...

5CVSS5.8AI score0.00119EPSS

Exploits0References4

NVD•added 2026/05/11 6:16 p.m.•13 views

CVE-2026-44992

5CVSS0.00119EPSS

Cvelist•added 2026/05/11 4:46 p.m.•34 views

CVE-2026-44992 OpenClaw 2026.4.5 through 2026.4.19 - MiniMax API Host Override via Workspace dotenv

5CVSS0.00119EPSS

Positive Technologies•added 2026/05/11 12:0 a.m.•9 views

PT-2026-39681

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX API HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization header...

5CVSS5.8AI score0.00119EPSS

Exploits0References4

Github Security Blog•added 2026/05/08 8:48 p.m.•10 views

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...

Exploits0References3Affected Software1

NVD•added 2026/05/08 3:16 p.m.•16 views

CVE-2026-41487

5.4CVSS0.00181EPSS

Exploits0References6

Positive Technologies•added 2026/05/08 12:0 a.m.•12 views

PT-2026-39240

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.Instana affected versions not specified Description The OpenTelemetry.Exporter.Instana NuGet package fails to validate HTTPS/TLS certificates when sending telemetry to an Instana back-end if a proxy is configured via the...