Lucene search
+L

1459 matches found

OSV
OSV
added 2026/05/26 1:30 p.m.4 views

GHSA-29PF-2H5F-8G72 HuggingFace transformers vulnerable to remote code execution

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...

7.8CVSS7.8AI score0.00479EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.19 views

PT-2026-44374

Name of the Vulnerable Software and Affected Versions Notepad++ versions prior to 8.9.6.1 Description Multiple issues exist in the software, including a buffer over-read in the inter-process communication mechanism that can lead to a denial of service. Additionally, remote code execution is...

5CVSS6.6AI score0.00258EPSS
Exploits2References20
Snyk
Snyk
added 2026/05/24 3:54 p.m.24 views

Deserialization of Untrusted Data

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of model configuration files, an attacker can craft a malicious config.json file...

8.5CVSS7.2AI score0.00479EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/24 1:40 p.m.12 views

CVE-2026-4372

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...

7.8CVSS7.8AI score0.00479EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/05/24 12:0 a.m.11 views

Hugging Face Transformers 安全漏洞

Hugging Face Transformers is an open-source framework developed by Hugging Face for defining state-of-the-art machine learning models. It covers text, visual, audio, and multimodal models, and can be used for both inference and training. Prior versions of Hugging Face Transformers, such as 5.3.0,...

7.8CVSS7.5AI score0.00479EPSS
Exploits1References2
OSV
OSV
added 2026/05/21 4:24 p.m.10 views

RLSA-2025:3367 Important: grub2 security update

The grub2 packages provide version 2 of the Grand Unified Boot Loader GRUB, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Security Fixes: grub2: net:...

7.6CVSS6.8AI score0.01373EPSS
Exploits0References2
Wordfence Blog
Wordfence Blog
added 2026/05/20 10:4 p.m.9 views

How a Webmail Log File Became a Root-Level Backdoor

THREAT ANALYSIS May 2026 · Forensic Case Study A forensic breakdown of how an attacker turned CyberPanel's SnappyMail logging into a persistent webshell that survived every WordPress cleanup attempt. A WordPress site owner reported redirect malware on their site. They found that clicking anywhere...

6.2AI score
Exploits0
OSV
OSV
added 2026/05/20 9:43 a.m.14 views

MAL-2026-4574 Malicious code in gm-kilo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4a35ea8669a2b02f60117ecc483176741399084b0fbebf11900d0a89505d9fb package.json declares an install lifecycle script that runs bin/gm-kilo.js install. At install time, the script executes bun x gm-plugkit@latest spoo...

6.2AI score
Exploits0References1
Snyk
Snyk
added 2026/05/18 9:47 p.m.13 views

Incorrect Permission Assignment for Critical Resource

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the configuration file rewrite process. An attacker can access sensitive credentials by reading files created with overly...

6.8CVSS5.8AI score0.00137EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/18 7:3 p.m.9 views

CVE-2026-45246

Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates th...

6.8CVSS5.8AI score0.00137EPSS
Exploits1References5
CVE
CVE
added 2026/05/18 7:3 p.m.16 views

CVE-2026-45246

CVE-2026-45246 describes an insecure file permission vulnerability in the refresh-free configuration rewrite path for versions prior to 0.15.1. When the path rewrites the configuration file, the replacement is created with default process umask permissions instead of preserving the original file ...

6.8CVSS5.8AI score0.00137EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/05/18 12:31 a.m.16 views

EUVD-2026-30710

A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILOCONFIGCONTENT can lead to information disclosure. It is...

5.3CVSS5.4AI score0.00316EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/05/17 12:0 a.m.13 views

PT-2026-41552

Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file name parameter. Attackers can send POST requests to gdrive-ajaxs.php with the ajaxstype parameter set to del ...

8.7CVSS5.9AI score0.00641EPSS
Exploits0References4
OSV
OSV
added 2026/05/15 2:3 p.m.10 views

OESA-2026-2358 systemd security update

systemd is a system and service manager that runs as PID 1 and starts the rest of the system. Security Fixes: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.CVE-2026-40226...

6.4CVSS5.8AI score0.00072EPSS
Exploits0References2
CVE
CVE
added 2026/05/15 7:46 a.m.19 views

CVE-2026-6403

The Quick Playground plugin for WordPress (up to version 1.3.3) is vulnerable to a Path Traversal flaw. The root cause is insufficient validation in the qckply_zip_theme() function, which directly appends a user-controlled 'stylesheet' parameter to the theme root directory path without sanitizing...

7.5CVSS5.9AI score0.00811EPSS
Exploits0References11
NVD
NVD
added 2026/05/12 7:16 a.m.19 views

CVE-2026-1185

A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH...

8.8CVSS0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 5:49 a.m.60 views

CVE-2026-1185

A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH...

5.4CVSS0.00226EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/11 8:27 p.m.11 views

CVE-2026-8193

A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made...

6.5CVSS6.2AI score0.00206EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/11 8:25 p.m.10 views

CVE-2021-47933

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the configfile endpoint to achieve remote code...

9.8CVSS6.5AI score0.00587EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/11 12:0 a.m.6 views

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

6.4AI score0.00247EPSS
Exploits0References2
Rows per page
Query Builder