6583 matches found
Mosparo < 1.0.2 - Open Redirect
Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2. id: CVE-2023-5375 info: name: Mosparo 1.0.2 - Open Redirect author: shankaracharya severity: medium description: | Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2. impact: | Unauthenticated attackers can exploit...
Imgproxy < 3.14.0 - Cross-site Scripting (XSS)
Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0. id: CVE-2023-1496 info: name: Imgproxy 3.14.0 - Cross-site Scripting XSS author: pdteam severity: medium description: Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to...
Froxlor < 0.10.38.2. - HTML Injection
HTML Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2. id: CVE-2022-3869 info: name: Froxlor TEST" matchers-condition: and matchers: - type: word part: body words: - 'The message to ""TEST" failed' - type: word part: header words: - "text/html" - type: status status: - 200 d...
Malicious code in @luminarycloudinternal/frodo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58ed68e675b2b6cde30e6b7c8e34077eda805a4bde64ca7cd2c68c6f4370ee5f Package published under a scope shadowing internal Luminary Cloud packages @luminarycloudinternal at version 9999.0.1 — the canonical...
github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability
A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability...
PYSEC-2026-541 Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely
The tooxie/shiva-server repository through 0.10.0 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
GO-2026-5755 Canonical MicroCeph: path traversal issue in the remote-import AP in github.com/canonical/microceph/microceph
Canonical MicroCeph: path traversal issue in the remote-import AP in github.com/canonical/microceph/microceph...
GO-2026-5674 OpenBao's Namespace Deletion May Not Delete Data Properly in github.com/openbao/openbao
OpenBao's Namespace Deletion May Not Delete Data Properly in github.com/openbao/openbao...
GO-2026-5517 OpenBao's System Backend allows Unauthorized Management of the containing Namespace in github.com/openbao/openbao
OpenBao's System Backend allows Unauthorized Management of the containing Namespace in github.com/openbao/openbao...
GO-2026-5557 Note Mark: OIDC-registered users authenticated by submitting password "null" in github.com/enchant97/note-mark/backend
Note Mark: OIDC-registered users authenticated by submitting password "null" in github.com/enchant97/note-mark/backend...
GO-2026-5222 nhost has Session Persistence After Password Change in github.com/nhost/nhost
nhost has Session Persistence After Password Change in github.com/nhost/nhost...
GO-2026-5060 Gotenberg: SSRF via LibreOffice document processing in github.com/gotenberg/gotenberg
Gotenberg: SSRF via LibreOffice document processing in github.com/gotenberg/gotenberg...
CVE-2026-54069
creationtimestamp| type| source ---|---|--- 2026-06-17 04:18:47+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-54069.yaml 2026-07-10 19:52:05+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqcwdmy6ok2t 2026-07-10...
MAL-2026-5697 Malicious code in web-model-bridge (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893 On npm install, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS,...
Malicious code in multica (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2 Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively require...
MAL-2026-5397 Malicious code in create-docs-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...
MAL-2026-5403 Malicious code in t-invest-mcp-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...
MAL-2026-4523 Malicious code in claude-channel-imessage (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...
MAL-2026-4644 Malicious code in power-platform-playwright-toolkit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57967d58233d74f2fc4f9b0dee7c050370eb388050df8d63f29e719f83468d73 On npm install, the package's postinstall script postinstall.js collects host identifiers and CI context — whoami, os.hostname, os.platform, cwd, CI,...
Malicious code in pewter-constants (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5 On npm install, a preinstall hook in callback.js collects os.hostname, os.userInfo.username, process.cwd, the configured npm registry...