Lucene search
K

211 matches found

OSV
OSV
added 2 days ago3 views

MAL-2026-10447 Malicious code in remarkable-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 464cab930bcf948abf49517f78a3ee1abb8b89c8f9c90f199bd3446c902d8e1e The package's preinstall script runs index.d.js, which reconstructs the identifier 'eval' from a character-code array 101,118,97,108 and base64-decod...

6.2AI score
Exploits0References2
CVE
CVE
added 2026/07/08 12:4 a.m.111 views

CVE-2026-59995

OpenSSH sftp (client) vulnerability CVE-2026-59995 affects OpenSSH versions older than 10.4. The issue arises when using SFTP with an attacker-controlled server and the command "sftp server:/path .", where the client does not properly constrain the location where downloaded files can be placed. T...

5.4CVSS6AI score0.00241EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/07/06 7:41 p.m.5 views

EUVD-2026-41915

The OpenAI Codex desktop app for macOS rendered remote images from Markdown in model responses. An attacker who could place an indirect prompt injection in content processed by Codex, such as a connected-tool result or another untrusted source, could induce the model to construct a remote image U...

6.1AI score0.00221EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/06/29 3:40 p.m.16 views

Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input

Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results. Microsof...

5.8AI score
Exploits0
OSV
OSV
added 2026/06/26 11:2 p.m.7 views

GHSA-39G2-8X68-PMX8 Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context

Summary PATCH /server/id accepts and persists nonexistent ddnsprofiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user's DDNS profile configuration in the contex...

6.4CVSS5.8AI score0.00227EPSS
Exploits0References3
NVD
NVD
added 2026/06/25 9:16 p.m.7 views

CVE-2026-12473

Two data sources DICOMWebProxy and DICOMJSON shipped in the default configuration fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the authenticated user's OIDC Bearer token into the resulting requests, sending it to the...

8.3CVSS0.00232EPSS
Exploits0References2
OSV
OSV
added 2026/06/24 2:5 p.m.11 views

MAL-2026-6396 Malicious code in signup-embedder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c48f398f700b78d1893db4570d5d6f16985d937ee79677aab97e673a1cf86e7e [email protected] ships preinstall.js and postinstall.js lifecycle scripts that auto-execute on npm install. preinstall.js collects...

5.8AI score
Exploits0References4
OSV
OSV
added 2026/06/23 3:24 p.m.4 views

MAL-2026-6302 Malicious code in hashd-edu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454 The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/23 3:24 p.m.8 views

Malicious code in hashd-edu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454 The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached...

6.1AI score
Exploits0References2
NVD
NVD
added 2026/06/22 6:16 p.m.13 views

CVE-2026-53632

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the...

5.5CVSS0.00322EPSS
Exploits0References1
OSV
OSV
added 2026/06/17 6:55 p.m.7 views

MAL-2026-6069 Malicious code in @civitatis/bot-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7 The package declares "preinstall": "node index.js" in package.json, causing index.js to execute automatically on npm install. index.js requires...

5.6AI score
Exploits0References2
NVD
NVD
added 2026/06/17 1:20 p.m.20 views

CVE-2026-48745

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The...

9.3CVSS0.00323EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 10:19 p.m.5 views

CVE-2026-48745 Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The...

9.3CVSS5.9AI score0.00323EPSS
Exploits0References4
OSV
OSV
added 2026/06/15 6:0 p.m.12 views

MAL-2026-5798 Malicious code in @resolvx/core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0 On npm install, scripts/postinstall.js connects to a hardcoded attacker IP http://213.218.160.189:8080, fallback:80, sends a base64-encoded host...

6.4AI score
Exploits0References4
OSV
OSV
added 2026/06/12 9:4 p.m.3 views

CVE-2026-53521 Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/id accepts and persists nonexistent ddnsprofiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those...

6.4CVSS5.9AI score0.00227EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 12:42 p.m.14 views

Malicious code in parket-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072 On npm install, the package's postinstall script node test.js auto-executes a multi-stage attack against the installer's machine. It recursively scan...

5.5AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 7:16 a.m.19 views

Malicious code in 0x2ai-demo2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239 On npm install, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INITCWD the developer's project root via fs.cpSync. Th...

5.6AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/10 2:59 p.m.13 views

CVE-2026-49948

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validati...

8.6CVSS5.5AI score0.0029EPSS
Exploits0References1
OSV
OSV
added 2026/06/09 5:35 p.m.9 views

MAL-2026-5407 Malicious code in @card-pci-data/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...

5.5AI score
Exploits0References2
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.15 views

mem0 安全漏洞

mem0 is an open-source benchmark tool for efficient memory algorithms developed by Mem0. Versions of mem0 prior to 0.2.8 contain security vulnerabilities. These vulnerabilities stem from a lack of authorization verification, which may cause authenticated users with an API key to redirect all LLM...

8.6CVSS5.3AI score0.0029EPSS
Exploits0References1
Rows per page
Query Builder