Lucene search
K

88 matches found

OSV
OSV
added 2026/05/21 8:0 a.m.9 views

MAL-2026-4228 Malicious code in @tiledesk/tiledesk-server (npm)

@tiledesk/tiledesk-server version 2.18.12 is a compromised release of the legitimate Tiledesk customer support platform package. This version was injected with a CI pipeline backdoor as part of the megalodon campaign — a mass GitHub repository backdooring operation targeting CI/CD runner...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/05/20 3:9 a.m.8 views

MAL-2026-4562 Malicious code in figma-d2c-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b65db74a06749bbb141552f97e91b15d5bdd91b57a0136dfc8bfb4034b659c8f The package ships dist/report.js, a one-line module that issues an HTTPS POST to https://www.baidu.com carrying values read from process.env. The...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/14 7:25 p.m.13 views

Malicious code in exxpress-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 378e423b00c08a371fbae1c77360685d2277e502e9875caa53fb20f58a39f396 The package name exxpress-tool is a one-character edit of the widely-used express package. On npm install, the declared scripts.postinstall runs...

5.9AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/09 3:30 a.m.8 views

CVE-2026-42461 Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full...

8.7CVSS5.7AI score0.00309EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/08 3:36 a.m.8 views

EUVD-2026-28502

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the...

8.6CVSS6AI score0.00373EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/08 3:36 a.m.7 views

CVE-2026-42203

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the...

8.6CVSS6AI score0.00373EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/30 8:55 p.m.5 views

GHSA-CXX3-HR75-4Q96 Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)

Summary Four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI expose...

8.7CVSS5.8AI score0.00309EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/30 8:55 p.m.15 views

Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)

Summary Four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI expose...

8.7CVSS5.5AI score0.00309EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/29 9:0 p.m.13 views

Embedded Malicious Code

Overview intercom/intercom-php is an Intercom API client. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload. A malicious actor compromised the package, enabling the attacker to publish tampered versions of the deep learning...

9.8CVSS6AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 2:17 p.m.4 views

Execution with Unnecessary Privileges

Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the runscript.py and runscript.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a...

9.6CVSS5.9AI score0.00341EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:17 p.m.6 views

Execution with Unnecessary Privileges

Overview Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the runscript.py and runscript.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a script that prints the process environment,...

9.6CVSS5.9AI score0.00341EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 10:46 p.m.10 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the spawn function. An attacker can execute arbitrary shell commands on the server and access sensitive environment variables, including API keys, authentication secrets, and database credentials, by...

8.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:21 p.m.3 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators...

5.6CVSS5.8AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/14 8:39 p.m.3 views

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS5.8AI score0.00326EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/04/04 6:4 a.m.4 views

Command Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by...

9.5CVSS6.1AI score0.11982EPSS
Exploits1References2
OSV
OSV
added 2026/04/03 7:4 p.m.4 views

MAL-2026-2475 Malicious code in strapi-plugin-nordica-lite (npm)

strapi-plugin-nordica-lite is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...

6AI score
Exploits0References2
Talos Blog
Talos Blog
added 2026/04/02 10:0 a.m.8 views

UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications

Cisco Talos is disclosing a large-scale automated credential harvesting campaign carried out by a threat cluster we are tracking as "UAT-10608." Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, that are then posted ...

10CVSS7.6AI score0.99562EPSS
Exploits374
The Hacker News
The Hacker News
added 2026/03/27 8:7 a.m.8 views

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history. Both LangChain and LangGraph are open-source frameworks that are used to build...

9.8CVSS6.2AI score0.9999EPSS
Exploits61
RedhatCVE
RedhatCVE
added 2026/03/12 11:23 p.m.8 views

CVE-2026-32237

A data exposure flaw has been discovered in the @backstage/plugin-scaffolder-backend npm library. Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log outp...

6.5CVSS5.7AI score0.00242EPSS
Exploits0References5
NVD
NVD
added 2026/03/12 7:16 p.m.3 views

CVE-2026-32237

Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all...

6.5CVSS0.00242EPSS
Exploits0References2
Rows per page
Query Builder