CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

7486 matches found

Nuclei•added 2026/06/16 7:13 a.m.•185 views

Confluence Server - Remote Code Execution

Confluence Server and Data Center contain an OGNL injection vulnerability that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version...

9.8CVSS8.5AI score0.99999EPSS

Exploits45References5

Nuclei•added 2026/06/16 7:13 a.m.•60 views

Apache Log4j2 Remote Code Injection

Apache Log4j2 =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when...

10CVSS8AI score0.99999EPSS

Exploits346References5

Nuclei•added 2026/06/16 7:13 a.m.•55 views

Atlassian Bitbucket - Remote Command Injection

Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain...

8.8CVSS9AI score0.99174EPSS

Exploits24References5

OSV•added 2026/06/16 4:24 a.m.•8 views

MAL-2026-5863 Malicious code in @ts-internal/shared-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171 The package squats the internal-looking scope @ts-internal/shared-lib on the public npm registry and runs a network beacon both during install...

5.5AI score

Exploits0References1

OSSF Malicious Packages•added 2026/06/16 4:24 a.m.•9 views

Malicious code in @ts-internal/shared-lib (npm)

5.4AI score

Exploits0References1

OSV•added 2026/06/16 2:14 a.m.•5 views

MAL-2026-5857 Malicious code in event-metrics-q3x7 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8 On install, package.json runs a postinstall hook node run.js that triggers beacon scripts beacon20.js, beaconlinux.js shipped in the tarball. The...

5.4AI score

Exploits0References9

OSV•added 2026/06/16 1:34 a.m.•2 views

MAL-2026-5858 Malicious code in metrics-pipeline-d8k2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0 Package declares "postinstall": "node run.js" in package.json, causing automatic execution of bundled beacon scripts on npm install. beacon29.js load...

5.8AI score

Exploits0References22

Positive Technologies•added 2026/06/16 12:0 a.m.•9 views

PT-2026-49620

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action remove abandoned function, which is registered to both the wp ajax...

5.3CVSS5.5AI score0.00228EPSS

Exploits0References5

Positive Technologies•added 2026/06/16 12:0 a.m.•12 views

PT-2026-49776

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description An issue exists in hostname validation where trailing-dot notation in model or workspace-derived URLs can be used to bypass blocklist comparisons. This occurs because hostname checks treat hosts...

6.5CVSS5.2AI score0.0021EPSS

Exploits0References5

Positive Technologies•added 2026/06/16 12:0 a.m.•13 views

PT-2026-49737

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description The CORS Middleware reflects the request Origin and sends Access-Control-Allow-Credentials: true when credentials: true is enabled and no explicit origin is defined defaulting to the wildcard. This...

7.1CVSS5.9AI score0.0003EPSS

Exploits0References4

EUVD•added 2026/06/15 9:30 p.m.•7 views

EUVD-2026-36783

Incorrect access control in the share-based read endpoints of Sismics Docs Teedy v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request...

5.2AI score0.00287EPSS

Exploits0References2

NVD•added 2026/06/15 8:16 p.m.•7 views

CVE-2026-50885

Incorrect access control in the share-based read endpoints of Sismics Docs Teedy v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request...

7.5CVSS0.00287EPSS

Exploits0References1

NVD•added 2026/06/15 12:16 p.m.•11 views

CVE-2026-34028

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyIdID/Audio/ and...

6.9CVSS0.00397EPSS

Exploits1References2

NVD•added 2026/06/15 12:16 p.m.•8 views

CVE-2026-34024

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allow...

8.6CVSS0.00304EPSS

Exploits1References2

EUVD•added 2026/06/15 12:0 p.m.•6 views

EUVD-2016-10882

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with...

6.4CVSS5.2AI score0.00231EPSS

Exploits0References3