Lucene search
K

30 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago7 views

Malicious code in crypto-promiser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25594e7865a7525aebefd2f1fcc8060f144bf202b1986875e1cfd95564f66e88 [email protected] is a typosquat of the legitimate crypto-promise package that ships a dropper in its lifecycle scripts. The declared postinstall...

6.6AI score
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.11 views

SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:2626-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2626-1 advisory. This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments...

7.4CVSS5.8AI score0.00394EPSS
Exploits4References16
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 4:20 a.m.11 views

Malicious code in node-path-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9 Package name node-path-utils and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core path...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 10:17 p.m.12 views

Malicious code in mci-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ae26c09350fdf9fb630e382c71dd730583ba1822122d232cde49a259597264f On npm install, mci-sdk runs the postinstall hook node./src/exec.js, which imports mci from src/core/index.js and invokes it at module top level. The...

6.6AI score
Exploits0References7
OSV
OSV
added 2026/06/13 8:13 p.m.16 views

MAL-2026-5743 Malicious code in environment-gate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80dc74c6c5240e9c146e476300b44582cc114cf1827319ba81d2bcae2d64c2cf index.js contains a commented-out line that, if uncommented, would base64-decode the URL https://www.jsonkeeper.com/b/VKUNI, fetch its contents via...

6.2AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 5:11 a.m.29 views

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/11 5:11 a.m.32 views

MAL-2026-5566 Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/05/28 4:16 p.m.8 views

PYSEC-2026-178

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

5.3CVSS5.8AI score0.00288EPSS
Exploits1References1
OSV
OSV
added 2026/05/25 3:7 p.m.17 views

MAL-2026-4728 Malicious code in web-dotenv (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edd19476eeb1c31707abe6fac6f52dbd1950a0dc25f4854ea5269d6400f8ea37 web-dotenv impersonates the widely-used dotenv package: its package.json copies dotenv's repository git://github.com/motdotla/dotenv.git and homepage...

5.7AI score
Exploits0References2
OSV
OSV
added 2026/05/25 9:58 a.m.14 views

MAL-2026-4491 Malicious code in authcascade (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9 On require'authcascade', the package's main entry pino.js loads lib/writer.js which a builds a data object containing the full process.env, OS...

6.5AI score
Exploits0References3
NVD
NVD
added 2026/03/20 5:16 a.m.8 views

CVE-2026-33024

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

9.3CVSS0.00438EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 4:58 a.m.5 views

CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

9.3CVSS5.7AI score0.00438EPSS
Exploits0References4
Packet Storm
Packet Storm
added 2026/03/19 12:0 a.m.158 views

📄 AVideo getImage.php Unauthenticated Command Injection

This Metasploit module exploits an unauthenticated OS command injection vulnerability in the AVideo encoder getImage.php endpoint. This affects versions prior to 7.0. The base64Url GET parameter is base64-decoded and injected directly into an ffmpeg shell command within double quotes, without any...

9.8CVSS5.8AI score0.02132EPSS
Exploits2
Snyk
Snyk
added 2026/03/10 6:41 p.m.5 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.linux-arm64 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit -...

8.7CVSS5.8AI score0.02049EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/10 6:41 p.m.7 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.win-x86 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit - GitHu...

8.7CVSS5.8AI score0.02049EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/10 6:41 p.m.8 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.linux-musl-x64 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit ...

8.7CVSS5.8AI score0.02049EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/07 7:59 a.m.5 views

CVE-2026-29058

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration...

9.8CVSS6AI score0.02132EPSS
Exploits2References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.9 views

EUVD-2015-8475

Malware in sbrugna...

7.4CVSS7.5AI score0.0192EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.10 views

EUVD-2005-0457

Malware in sbrugna...

5CVSS6.1AI score0.03403EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2025/09/22 9:9 p.m.9 views

Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink

Summary The lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. Details...

8.2CVSS7.3AI score0.00438EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder