CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/21 4:36 a.m.•6 views

MAL-2026-4573 Malicious code in git-userhub (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 859f77ac10aa89722823e0477f8f6986db2b54dd25b1b2aedb05ee31d5891071 Package name 'git-userhub' is a lookalike of a GitHub-related identity, with no legitimate publisher backing. The package.json declares a postinstall...

6.4AI score

OSV•added 2026/05/20 8:46 p.m.•6 views

MAL-2026-4516 Malicious code in chain-async-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6 chain-async-test impersonates the legitimate chain-async library copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; t...

6.2AI score

OSV•added 2026/05/20 6:38 p.m.•8 views

MAL-2026-4360 Malicious code in @aledan007/tester (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439 The bundled server file dist/server/index.js contains a hardcoded reference to the attacker-controlled domain https://evil.attacker-example.com...

OSSF Malicious Packages•added 2026/05/20 12:58 p.m.•9 views

Malicious code in @scp3500/openvl (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fee1ab6796d8af462e9f00e82a28545b72eae4d9d9f0ab0f36ca4b09cd29487c scripts/mcpserver.js loads childprocess, fs, and http, reads from process.env, and issues HTTP POST requests to a hardcoded external destination at...

OSV•added 2026/05/20 8:14 a.m.•7 views

MAL-2026-4601 Malicious code in local-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4649a6cac828460ea4a3e6d867038eaa507f109eb6a46de9eef1fc340d867608 The package executes lifecycle and import-time code that fetches executables and posts host data to off-publisher infrastructure. download.js line 92...

OSSF Malicious Packages•added 2026/05/19 6:48 p.m.•9 views

Exploits0References21

Malicious code in xorma-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260 On require'xorma-js', a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via childprocess.execSync...

5.8AI score

OSV•added 2026/05/19 6:48 p.m.•7 views

MAL-2026-4734 Malicious code in xorma-js (npm)

5.8AI score

OSV•added 2026/05/19 4:57 p.m.•6 views

MAL-2026-4503 Malicious code in bytecore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c1ddd2dea35052822d2dc89f0f46ceae20c772c257e0c97f0024483e9ff31c0 The package masquerades as a pino-like logging middleware README is copied from pino, exports a pino property, mimics pino's option shape but the...

OSSF Malicious Packages•added 2026/05/15 3:8 a.m.•12 views

Malicious code in cdp-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed The package ships cdpinject.js, which combines childprocess, fs, http/https, and base64 encoding to gather system information and exfiltrate it over...

5.8AI score

NVD•added 2026/05/12 10:16 a.m.•14 views

CVE-2026-5029

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and...

8.7CVSS0.00291EPSS

SUSE CVE•added 2026/05/09 2:43 a.m.•9 views

SUSE CVE-2026-41570

PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string...

7.8CVSS6.5AI score0.00191EPSS

Exploits0References3

OSV•added 2026/05/08 3:16 p.m.•4 views

DEBIAN-CVE-2026-41570

7.8CVSS6.6AI score0.00191EPSS

UbuntuCve•added 2026/05/08 3:16 p.m.•8 views

CVE-2026-41570

7.8CVSS5.8AI score0.00191EPSS

Exploits0References3

Snyk•added 2026/05/07 4:8 a.m.•11 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then calls...

9.9CVSS6.2AI score0.00669EPSS

Exploits1References2

OSV•added 2026/05/07 4:8 a.m.•5 views

GHSA-947F-4V7F-X2V8 vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape

Summary NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed co...

9.9CVSS6.6AI score0.00669EPSS

Exploits1References3

Snyk•added 2026/05/07 4:8 a.m.•7 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...

9.9CVSS6.1AI score0.00669EPSS

Exploits1References2

OSV•added 2026/05/04 3:16 p.m.•3 views

DEBIAN-CVE-2026-33007

A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue...

5.3CVSS5.8AI score0.00514EPSS