1151 matches found
WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File
Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...
Astro Cloudflare Adapter - Server Side Request Forgery
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...
Malicious code in slds-lsp-client (npm)
The slds-lsp-client package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Salesforce SLD...
CVE-2026-56281
Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/adminstats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform adm...
EUVD-2026-43229
Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/adminstats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform adm...
CVE-2026-59155
Nezha Monitoring (self-hosted) had a credential exposure flaw prior to version 2.2.5. The GET endpoints /api/v1/ddns and /api/v1/notification returned full resource objects that included plaintext third-party API credentials (Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram ...
Malicious code in cursed-ecto-d3ab00 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49348969de68b56d680a46f67f817053621fa41a5220d8cd0bc1da720e77a5a1 The package has no legitimate functionality index.js is an empty module and exists solely to run an install-time attack payload. All four lifecycle...
Malicious code in @logdna-web/styles (npm)
The @logdna-web/styles package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @logdna-w...
Malicious code in enbd-react-lib (npm)
The enbd-react-lib package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization an 'enbd' interna...
Malicious code in box-react-uix (npm)
The box-react-uix package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'box' internal...
Malicious code in tme-error (npm)
The tme-error package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'tme' internal...
Malicious code in @flex-ng/filter-pipe (npm)
The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...
Malicious code in @idms-corp/auth-ui (npm)
The @idms-corp/auth-ui package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @idms-cor...
Malicious code in ipa-user-collector (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5719ec23d0195e518782dbc26a8a05b54fd827d1ec18d41619d163f7175eaa28 The package ships an empty runtime module src/ipausercollector/init.py contains only version but overrides setup.py cmdclass for install, develop, an...
MAL-2026-6749 Malicious code in ipa-user-collector (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5719ec23d0195e518782dbc26a8a05b54fd827d1ec18d41619d163f7175eaa28 The package ships an empty runtime module src/ipausercollector/init.py contains only version but overrides setup.py cmdclass for install, develop, an...
Malicious code in haproxy-config-client (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f86ffde45262c5d45a24458a85116ab5ca80451ce3d3159f9d7cad6599ad145 setup.py registers install, develop, and egginfo command hooks that run a routine which XOR-0x5A-decodes a list of attacker-controlled Cloudflare...
MAL-2026-6748 Malicious code in haproxy-config-client (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f86ffde45262c5d45a24458a85116ab5ca80451ce3d3159f9d7cad6599ad145 setup.py registers install, develop, and egginfo command hooks that run a routine which XOR-0x5A-decodes a list of attacker-controlled Cloudflare...
CVE-2026-14440 Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records
Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design e.g. 'issue "letsencrypt.org"' without parameters. On Universal SSL zones,...
GHSA-WW5P-J6CJ-6MQQ Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Summary The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — withou...
Malicious code in hexo-deployer-wrangler (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...