CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

354 matches found

WordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin WPC Product Bundles for WooCommerce versions = 8.5.3...

5.8AI score

Exploits0Affected Software1

OSSF Malicious Packages•added 2026/05/21 12:0 a.m.•3 views

Malicious code in polymarket-ai-agent (npm)

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev GitHub actor texsellix, repo texsellix/polymarket-trading-bot within a 2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while...

5.8AI score

Exploits0References1

OSSF Malicious Packages•added 2026/05/20 7:12 p.m.•4 views

Malicious code in @saidddddddddd/somethingelse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10c6c962a47a7992e9b415754433ca28aec0b867273e477fdc76acc96688554d Package ships multiple multi-file randomly-named JavaScript bundles at the tarball root dist/0wj8nina9p.js, dist/g2gldlcg6a.js, dist/k72k75nqjc.js,...

5.9AI score

Exploits0References1

OSV•added 2026/05/20 7:12 p.m.•5 views

MAL-2026-4430 Malicious code in @saidddddddddd/somethingelse (npm)

5.9AI score

Exploits0References1

Github Security Blog•added 2026/04/27 9:31 p.m.•2 views

Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory...

6.8CVSS5.8AI score0.00029EPSS

Exploits0References4Affected Software1

NVD•added 2026/04/21 10:16 p.m.•1 views

CVE-2026-40944

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates e.g., intermediate + root CA, only the first certificate is loaded...

6.9CVSS0.00033EPSS

Exploits0References1

ATTACKERKB•added 2026/04/21 9:14 p.m.•1 views

CVE-2026-40944

6.9CVSS5.8AI score0.00033EPSS

Exploits0References2Affected Software1

EUVD•added 2026/04/21 9:14 p.m.•1 views

EUVD-2026-24509

6.9CVSS5.8AI score0.00033EPSS

Exploits0References1

Vulnrichment•added 2026/04/21 9:14 p.m.•1 views

CVE-2026-40944 Oxia: TLS CA certificate chain validation fails with multi-certificate PEM bundles

6.9CVSS5.8AI score0.00033EPSS

Exploits0References1

CVE•added 2026/04/21 9:14 p.m.•5 views

CVE-2026-40944

Summary: CVE-2026-40944 affects Oxia, a metadata store and coordination system. Before 0.16.2, the TLS trustedCertPool() configuration only loads the first PEM block from CA bundles; when multiple certificates (e.g., intermediate + root) are present, the chain is not fully validated for mTLS. Thi...

6.9CVSS5.8AI score0.00033EPSS

Exploits0References1

SUSE CVE•added 2026/04/10 11:25 p.m.•3 views

SUSE CVE-2026-39395

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...

6.5CVSS5.8AI score0.00042EPSS

Exploits0References3

NVD•added 2026/04/10 5:17 p.m.•1 views

CVE-2026-40157

PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmdunpack in the recipe CLI extracts .praison tar archives using raw tar.extract without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who...

9.4CVSS0.00084EPSS

Exploits1References1

Vulnrichment•added 2026/04/09 9:22 p.m.•3 views

CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractal...

6.5CVSS5.8AI score0.00054EPSS

Exploits1References1

NVD•added 2026/04/08 5:16 a.m.•2 views

CVE-2026-4785

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttoncaption' parameter in the latepointresources shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the...

6.4CVSS0.00015EPSS

Exploits0References6

Cvelist•added 2026/04/08 3:36 a.m.•21 views

CVE-2026-4785 LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4CVSS0.00015EPSS

Exploits0References6

Vulnrichment•added 2026/04/08 3:36 a.m.•1 views

CVE-2026-4785 LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4CVSS6.1AI score0.00015EPSS

Exploits0References6

EUVD•added 2026/04/08 12:15 a.m.•2 views

EUVD-2026-19919

Cosign's verify-blob-attestation reports false positive when payload parsing fails...

4.3CVSS5.9AI score0.00042EPSS

Exploits0References2

OSV•added 2026/04/08 12:15 a.m.•1 views

GHSA-W6C6-C85G-MMV6 Cosign's verify-blob-attestation reports false positive when payload parsing fails

Description cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For...

4.3CVSS5.8AI score0.00042EPSS

Exploits0References3