Lucene search
K

1151 matches found

Nuclei
Nuclei
added 18 hours ago16 views

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...

7.5CVSS6.1AI score0.01986EPSS
Exploits0References3
Nuclei
Nuclei
added 18 hours ago61 views

Astro Cloudflare Adapter - Server Side Request Forgery

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

7.2CVSS6.1AI score0.00773EPSS
Exploits1References3
OSSF Malicious Packages
OSSF Malicious Packages
added 23 hours ago3 views

Malicious code in slds-lsp-client (npm)

The slds-lsp-client package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Salesforce SLD...

6.1AI score
Exploits0References2
NVD
NVD
added yesterday6 views

CVE-2026-56281

Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/adminstats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform adm...

5.1CVSS
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-43229

Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/adminstats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform adm...

5.1CVSS6.1AI score
Exploits0References2
CVE
CVE
added 3 days ago9 views

CVE-2026-59155

Nezha Monitoring (self-hosted) had a credential exposure flaw prior to version 2.2.5. The GET endpoints /api/v1/ddns and /api/v1/notification returned full resource objects that included plaintext third-party API credentials (Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram ...

6.9CVSS6.1AI score0.00304EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in cursed-ecto-d3ab00 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49348969de68b56d680a46f67f817053621fa41a5220d8cd0bc1da720e77a5a1 The package has no legitimate functionality index.js is an empty module and exists solely to run an install-time attack payload. All four lifecycle...

6AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.4 views

Malicious code in @logdna-web/styles (npm)

The @logdna-web/styles package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @logdna-w...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in enbd-react-lib (npm)

The enbd-react-lib package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization an 'enbd' interna...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in box-react-uix (npm)

The box-react-uix package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'box' internal...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.4 views

Malicious code in tme-error (npm)

The tme-error package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'tme' internal...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.2 views

Malicious code in @flex-ng/filter-pipe (npm)

The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in @idms-corp/auth-ui (npm)

The @idms-corp/auth-ui package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @idms-cor...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/03 10:45 p.m.13 views

Malicious code in ipa-user-collector (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5719ec23d0195e518782dbc26a8a05b54fd827d1ec18d41619d163f7175eaa28 The package ships an empty runtime module src/ipausercollector/init.py contains only version but overrides setup.py cmdclass for install, develop, an...

6.5AI score
Exploits0References3
OSV
OSV
added 2026/07/03 10:45 p.m.8 views

MAL-2026-6749 Malicious code in ipa-user-collector (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5719ec23d0195e518782dbc26a8a05b54fd827d1ec18d41619d163f7175eaa28 The package ships an empty runtime module src/ipausercollector/init.py contains only version but overrides setup.py cmdclass for install, develop, an...

6.5AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/03 10:43 p.m.13 views

Malicious code in haproxy-config-client (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f86ffde45262c5d45a24458a85116ab5ca80451ce3d3159f9d7cad6599ad145 setup.py registers install, develop, and egginfo command hooks that run a routine which XOR-0x5A-decodes a list of attacker-controlled Cloudflare...

6.2AI score
Exploits0References3
OSV
OSV
added 2026/07/03 10:43 p.m.12 views

MAL-2026-6748 Malicious code in haproxy-config-client (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f86ffde45262c5d45a24458a85116ab5ca80451ce3d3159f9d7cad6599ad145 setup.py registers install, develop, and egginfo command hooks that run a routine which XOR-0x5A-decodes a list of attacker-controlled Cloudflare...

6.2AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/07/01 10:35 p.m.11 views

CVE-2026-14440 Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records

Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design e.g. 'issue "letsencrypt.org"' without parameters. On Universal SSL zones,...

7.6CVSS5.7AI score0.00135EPSS
Exploits0References4
OSV
OSV
added 2026/06/26 11:55 p.m.5 views

GHSA-WW5P-J6CJ-6MQQ Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API

Summary The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — withou...

6.9CVSS5.8AI score0.00304EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/26 12:22 a.m.9 views

Malicious code in hexo-deployer-wrangler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...

6.4AI score
Exploits0References2
Rows per page
Query Builder