Lucene search
+L

6999 matches found

ossf
ossf
added yesterday20 views

Malicious code in xyq-drama-skill (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 062ea591e5b995503deb15b174a37fc7af37cb5987a6c3d715d256fe0c3bfe10 setup.py registers a custom install cmdclass that, on pip install, downloads an opaque binary from...

6.3AI score
Exploits0References5
cvelist
cvelist
added 2 days ago31 views

CVE-2026-49458 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizenode, INPLACE: true accepted same-origin foreign-realm DOM nodes while follow-on checks used parent-realm constructors, causing instanceof checks for forms, named node maps, documen...

6.1CVSS0.00288EPSS
Exploits0References3
nvd
nvd
added 2 days ago5 views

CVE-2026-8085

A security issue exists within Arena® Simulation due to a memory corruption vulnerability in the model.exe Siman component. The vulnerability stems from improper validation of user-supplied data, which can result in an out-of-bounds write. An attacker could leverage this vulnerability to execute...

7.3CVSS0.00115EPSS
Exploits0References1
cve
cve
added 2 days ago8 views

CVE-2026-8313

The provided data describes CVE-2026-8313 affecting Arena® Simulation, specifically a memory corruption vulnerability in the linker.exe (Siman) component. The issue arises from improper validation of user-supplied data, leading to an out-of-bounds write. An attacker could potentially execute arbi...

7.3CVSS6.3AI score0.00115EPSS
Exploits0References1Affected Software1
cve
cve
added 2 days ago8 views

CVE-2026-8085

The CVE concerns Arena® Simulation, specifically memory corruption in the model.exe (Siman) component caused by improper validation of user-supplied data, leading to an out-of-bounds write. Exploitation could allow arbitrary code execution in the context of the current process when a user opens a...

7.3CVSS6.3AI score0.00115EPSS
Exploits0References1Affected Software1
ptsecurity
ptsecurity
added 2 days ago6 views

PT-2026-58022

Name of the Vulnerable Software and Affected Versions Arena Simulation affected versions not specified Description A memory corruption issue exists in the siman.exe Siman component. The flaw is caused by improper validation of user-supplied data, leading to an out-of-bounds write, which occurs wh...

7.3CVSS6.3AI score0.00115EPSS
Exploits0References3
ossf
ossf
added 4 days ago10 views

Malicious code in defi-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a2562ad49633ee8c845db08a485394cb31c7de12d9f87eb3f8ef0ab61fb5128 On first import, defitools/init.py decodes a base64-embedded 486KB Linux ELF, writes it to /.config/.npm-cache/snapd-network, sets mode 0777, and...

6.2AI score
Exploits0References3
nvd
nvd
added 5 days ago7 views

CVE-2026-57828

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE...

9CVSS0.00305EPSS
Exploits1References2
euvd
euvd
added 5 days ago8 views

EUVD-2026-43167

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE...

9CVSS6.1AI score0.00305EPSS
Exploits1References2
cvelist
cvelist
added 5 days ago33 views

CVE-2026-57828 Joomla Extension - phoca.cz - Authenticated file upload in RSFiles component < 6.1.3

The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE...

9CVSS0.00305EPSS
Exploits1References2
osv
osv
added last week2 views

MAL-2026-10091 Malicious code in qlinforge (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 713a696ce725031aab16903d7a29c80611a4c4368c7e35bacf29069a3581c602 setup.py registers a custom install command that, on Linux, downloads an opaque binary from http://115.190.124.243:9090/payloadlinuxamd64 to...

6.3AI score
Exploits0References4
ossf
ossf
added last week9 views

Malicious code in multer-orm (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fb45c09aa7a237b2b9ff18ccf6426b76a4f46e5ea665c7747f35a345940e161 multer-orm is a typosquat of the widely used multer middleware. Its README is copied from multer, but the package adds a load-time dropper in...

6.7AI score
Exploits0References6
ossf
ossf
added last week9 views

Malicious code in playwrightr (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e165b925f82629524e611c81597c32a171df7cec246dc73f268d8192ccbe2c5 setup.py registers a CustomInstallCommand that runs automatically on pip install under Windows. It uses WinHTTP via ctypes to fetch a binary from...

6.1AI score
Exploits0References5
euvd
euvd
added 2026/07/09 12:31 a.m.9 views

EUVD-2026-42435

A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via...

8.8CVSS6.3AI score0.0012EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/07/09 12:0 a.m.12 views

PT-2026-56777

Name of the Vulnerable Software and Affected Versions Balbooa Forms versions prior to 2.4.1 Description The Joomla extension Balbooa Forms, installed as the com baforms component, contains a flaw in its frontend attachment upload functionality. This issue allows an unauthenticated anonymous visit...

10CVSS6.8AI score0.00836EPSS
Exploits5References43
cve
cve
added 2026/07/08 9:18 p.m.27 views

CVE-2026-10037

CVE-2026-10037 describes a sandbox escape in Ubuntu’s OpenJDK packages. The issue arises from .jar MIME handlers installed by these packages executing files marked as executable when the mailcap package is present. A compromised sandboxed application with access to the OpenURI portal via xdg-desk...

8.8CVSS6.3AI score0.0012EPSS
Exploits0References1
cvelist
cvelist
added 2026/07/08 9:10 p.m.31 views

CVE-2026-55849 @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npmexecpath is unset or empty, allowing arbitrary OS command execution with the privileg...

8.5CVSS0.0016EPSS
Exploits0References4
debiancve
debiancve
added 2026/07/08 7:32 p.m.7 views

CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS5.9AI score0.00136EPSS
Exploits0
nvd
nvd
added 2026/07/08 6:16 a.m.10 views

CVE-2026-57895

Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege...

8.5CVSS0.0011EPSS
Exploits0References2
cve
cve
added 2026/07/08 4:38 a.m.16 views

CVE-2026-57895

Pupsman before 3.9.0 has an incorrect default-permissions issue that allows an attacker to drop a malicious executable into the installation folder, enabling arbitrary code execution with SYSTEM privileges. Affected software: Pupsman, versions prior to 3.9.0. Root cause: default permissions misco...

8.5CVSS7.6AI score0.0011EPSS
Exploits0References2
Rows per page
Query Builder