CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 4 days ago•11 views

Malicious code in node-slot (npm)

5.9AI score

NVD•added 6 days ago•8 views

CVE-2025-26240

In JazzCore python-pdfkit 1.0.0, the fromstring method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files...

8.4CVSS0.00392EPSS

CVE•added 6 days ago•14 views

CVE-2025-26240

The CVE-2025-26240 entry affects JazzCore’s python-pdfkit 1.0.0, where the from_string method allows JavaScript to execute within the server context and enables exfiltration of local files. This indicates a server-side execution vector with high impact on confidentiality, integrity, and availabil...

8.4CVSS5.6AI score0.00392EPSS

OSV•added 2026/06/11 9:57 p.m.•7 views

MAL-2026-5678 Malicious code in internallib_v557 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 275af9596caf2b68994ca8282da7e127f8a4478e07888dbae73826328b4e41f2 index.js implements a multi-step attack against an internal npm registry. On invocation of the exported command, it: 1 creates a Verdaccio user...

OSV•added 2026/06/10 6:41 p.m.•8 views

Exploits0References23

MAL-2026-5530 Malicious code in websocket-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6 On npm install, this package runs node test.js via scripts.postinstall, which executes the logic in index.js. The postinstall behavior performs three...

Tenable Nessus•added 2026/06/08 12:0 a.m.•7 views

Amazon Linux 2 : yelp, --advisory ALAS2-2026-3337 (ALAS-2026-3337)

The version of yelp installed on the remote host is prior to 3.28.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3337 advisory. A sandbox escape vulnerability was found in yelp, the GNOME help viewer. Bypassing the fix for CVE-2025-3155, a malicious help docume...

7.4CVSS5.5AI score0.10259EPSS

Exploits1References2

OSV•added 2026/06/06 6:13 a.m.•8 views

MAL-2026-5296 Malicious code in magique (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f5d3bf9e3bbd5c258d251ade5a15f3383a47a53ddd399d7cd3db2aee5cec45c4 Versions 0.6.8, 0.6.9 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed...

OSV•added 2026/06/06 6:13 a.m.•6 views

Exploits0References5

MAL-2026-5313 Malicious code in dreamgen (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d13836e2a6e18233bd22274b546345ad8ae8959fa00ad1c3d473568feed3f6d3 Versions 1.8.1 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed using B...

RedhatCVE•added 2026/06/05 7:18 p.m.•6 views

Exploits0References4

CVE-2026-45088

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through...

7.5CVSS5.6AI score0.00251EPSS

CVE•added 2026/06/05 7:1 p.m.•22 views

CVE-2026-11414

CVE-2026-11414 affects Altium Enterprise Server Vault service. The issue comprises two vulnerabilities: (1) a hard-coded cryptographic key used to sign file download URLs, identical across installations, enabling an unauthenticated network attacker to forge valid signatures and retrieve files fro...

10CVSS5.6AI score0.00437EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/06/05 7:1 p.m.•29 views

CVE-2026-11414 Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal

A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the...

10CVSS0.00437EPSS

Positive Technologies•added 2026/06/05 12:0 a.m.•6 views

PT-2026-49599

Impact skillctl 0.1.0 and 0.1.1 contained four path-safety vulnerabilities that, in combination, allowed an attacker to: 1. Exfiltrate arbitrary files on the operator's machine by publishing a malicious skills library containing a symlink inside a skill folder e.g. niania →...

5.6AI score

Exploits0References5

OSSF Malicious Packages•added 2026/05/31 1:30 a.m.•12 views

Malicious code in h4xupdate (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0de4da975d7b071824607be751a9ea0fb13e409eaef58d1cc0628263d5dea700 Package contains a remote control tool taking orders from a hardcoded Telegram bot. The authorship impersonate legitimate company. --- Category: MALICIOUS - Th...

6AI score

OSV•added 2026/05/31 1:30 a.m.•10 views

MAL-2026-5093 Malicious code in h4xupdate (PyPI)

6AI score

EUVD•added 2026/05/27 5:35 p.m.•11 views

EUVD-2026-32616

7.5CVSS5.9AI score0.00251EPSS

EUVD•added 2026/05/22 1:4 a.m.•11 views

EUVD-2026-31386

A cross-site scripting XSS vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to...

9.3CVSS6.4AI score0.00231EPSS