CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/29 12:0 a.m.•17 views

PT-2026-44800

Name of the Vulnerable Software and Affected Versions Acer Wave 7 router affected versions not specified Description The upload.cgi binary, which processes device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, which can...

10CVSS5.8AI score0.0018EPSS

Exploits0References9

OSSF Malicious Packages•added 2026/05/26 7:33 a.m.•13 views

Malicious code in @catclaw/message-logger-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864 On plugin registration, the log-collector is enabled by default and uploads session JSONL files from /.openclaw/agents//sessions to...

OSSF Malicious Packages•added 2026/05/25 4:36 p.m.•10 views

Malicious code in aes-decode-runner-pro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a84e76208311859e852fea114c26e1eff1202eeff9a463707c5ae0deec68725c aes-decode-runner-pro ships an opaque 326-byte AES-GCM ciphertext DEFAULTFINALENCODEDTEXT in src/config/defaults.js along with a hardcoded passphrase...

5.8AI score

Exploits0References10

OSSF Malicious Packages•added 2026/05/25 1:2 p.m.•9 views

Malicious code in emojifancy-print (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87a0b34b08697e7c8c67b8111ab442ec2d1168f0981b4680fc327a40ba370d79 The package advertises itself as a colorized logger but ships a backdoor in dist/logger.js that fires automatically when the module is loaded. At...

OSSF Malicious Packages•added 2026/05/25 9:50 a.m.•8 views

Malicious code in @pmate/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d918da5fdc17486ed55296e53c1de2f1d976895f77e33dc7f73991e36f393502 The exported detectTextimageBase64 function in src/detectText.ts sends caller-supplied image content to...

5.8AI score

OSV•added 2026/05/25 9:50 a.m.•5 views

MAL-2026-4419 Malicious code in @pmate/utils (npm)

5.8AI score

OSSF Malicious Packages•added 2026/05/24 5:19 p.m.•10 views

Malicious code in class-weaver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4e45cdd0a93db2db56ae7fd2c348305a5ce7aeab9c6fb4b2331c2a547b2c5e7 class-weaver advertises itself as a className/theme utility keywords clsx, utils, styling; exports named classNames and twMerge mimicking...

OSV•added 2026/05/24 5:19 p.m.•8 views

MAL-2026-4521 Malicious code in class-weaver (npm)

OSSF Malicious Packages•added 2026/05/24 5:15 p.m.•9 views

Malicious code in vite-plugin-css-blend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76 The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStylespalette, accents export, when called on...

6AI score

OSV•added 2026/05/24 5:15 p.m.•11 views

MAL-2026-4706 Malicious code in vite-plugin-css-blend (npm)

6AI score

OSV•added 2026/05/22 7:56 a.m.•10 views

MAL-2026-4768 Malicious code in sklern (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1495d93dccc77a422f70d192ef4d8dcd53b0c990fff43e68bc2a0eca301e5d10 Package name 'sklern' is a one-character deletion from the top-tier ML package 'sklearn', and its public API linearregression, logisticregression,...

CVE•added 2026/05/21 5:11 p.m.•12 views

Exploits0References6

CVE-2026-48245

Open ISES Tickets before 3.44.2 contain a hardcoded Google Maps API key in tables.php that was committed to a public repository. The key can be read by anyone with repository access and used to incur Google Maps Platform charges on the owner’s Google Cloud project. Public remediation is available...

Vulnrichment•added 2026/05/21 5:11 p.m.•9 views

CVE-2026-48245 Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in tables.php

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

ATTACKERKB•added 2026/05/21 5:11 p.m.•4 views

CVE-2026-48245

CVE•added 2026/05/21 5:11 p.m.•12 views

Exploits0References4

CVE-2026-48244

Open ISES Tickets before 3.44.2 contains a hardcoded Google Maps API key in settings.inc.php committed to public source. The API key can be extracted by anyone with read access and used to make Google Maps Platform requests, resulting in billed usage against the original owner’s Google Cloud proj...

ATTACKERKB•added 2026/05/21 5:11 p.m.•5 views

CVE-2026-48244

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

Vulnrichment•added 2026/05/21 5:11 p.m.•7 views

Exploits0References4

CVE-2026-48244 Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in settings.inc.php

CVE•added 2026/05/21 5:11 p.m.•14 views

CVE-2026-48243

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third‑party API calls billed to or rate‑limited against the origin...

EUVD•added 2026/05/21 5:11 p.m.•9 views

EUVD-2026-31325

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...