CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/22 2:5 p.m.•11 views

USN-8277-2 linux-oracle-6.17 vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 Several security issues were discovered in th...

9.8CVSS7AI score0.02194EPSS

Exploits226References21

OSV•added 2026/05/22 1:52 p.m.•3 views

MAL-2026-4633 Malicious code in osep-api-hub-service-client-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76 package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install. index.js collects host identifiers —...

Snyk•added 2026/05/22 1:44 p.m.•10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...

5.3CVSS5.8AI score0.00026EPSS

Snyk•added 2026/05/22 1:44 p.m.•8 views

Incorrect Authorization

Overview github.com/mattermost/mattermost/server/v8/channels/api4 is a platform for secure collaboration across the entire software development lifecycle Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive...

5.3CVSS5.8AI score0.00026EPSS

Snyk•added 2026/05/22 1:44 p.m.•8 views

Incorrect Authorization

5.3CVSS5.8AI score0.00026EPSS

NVD•added 2026/05/22 11:16 a.m.•6 views

CVE-2026-4646

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID:...

4.3CVSS0.00069EPSS

Vulnrichment•added 2026/05/22 10:27 a.m.•6 views

CVE-2026-3473 Improper file ownership validation in the Boards API allows unauthorised file access

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs...

5.9CVSS5.8AI score0.00033EPSS

EUVD•added 2026/05/22 10:27 a.m.•9 views

EUVD-2026-31429

7.1CVSS5.8AI score0.00033EPSS

CVE•added 2026/05/22 10:27 a.m.•13 views

CVE-2026-3473

CVE-2026-3473 affects Mattermost prior to fixed versions: 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x

7.1CVSS5.8AI score0.00033EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/22 10:27 a.m.•37 views

CVE-2026-3473 Improper file ownership validation in the Boards API allows unauthorised file access

5.9CVSS0.00033EPSS

Vulnrichment•added 2026/05/22 10:25 a.m.•3 views

CVE-2026-4646 Insufficient input validation in GitHub plugin API causes denial of service

4.3CVSS5.8AI score0.00069EPSS

Vulnrichment•added 2026/05/22 10:23 a.m.•10 views

CVE-2026-3636 Sanitize team member data returned by API

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API...

4.3CVSS5.8AI score0.00026EPSS

CVE•added 2026/05/22 10:23 a.m.•13 views

CVE-2026-3636

Mattermost CVE-2026-3636 affects versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, and 10.11.x

4.3CVSS5.8AI score0.00026EPSS

Exploits0References1Affected Software1

OSSF Malicious Packages•added 2026/05/22 9:56 a.m.•7 views

Malicious code in @thebros/create-benjamin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53fb816939bb505cdabc374418983428298b09a29e5789033943301642b8b156 The package tarball ships a .env file containing a live-looking OpenAI API key OPENAIAPIKEY=sk-proj-.... The CLI entry point bin/index.js calls impor...

OSSF Malicious Packages•added 2026/05/22 8:31 a.m.•6 views

Malicious code in kurumi-fca (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f90450e6ca1502bf6287d945c37c4c64f59e624a4269ab8e07600a9db5e755d0 kurumi-fca is a Facebook Chat API library whose advertised purpose is to listen to Messenger events for the caller. Two undisclosed behaviors make it...

The Hacker News•added 2026/05/22 5:36 a.m.•11 views

Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 CVSS score: 10.0, the vulnerability arises from insufficient validation and authentication when...

10CVSS5.9AI score0.00064EPSS

Exploits1

OSV•added 2026/05/22 4:35 a.m.•3 views

MAL-2026-4363 Malicious code in @asura21232/fca-unofficial-nextgen (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2 This package presents itself as an unofficial Facebook Messenger client library, but its exported authentication helpers loginViaAPI, tokensViaAPI,...