CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

39 matches found

CVE-2026-47141 vm2: NodeVM observability builtins leak host process and HTTP request data

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnosticschannel, asynchooks, and perfhooks builtins are not blocked by the dangerous builtin denylist. These modules...

6.9CVSS0.0004EPSS

Exploits0References3

OSV•added 5 days ago•4 views

MAL-2026-5472 Malicious code in getd-web-corporativa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6751d3ca04c2ae596f7e809e339770edaed576060d361c061311960b0a3a7033 On npm install, postinstall.js performs an HTTPS GET to a hardcoded webhook.site receiver, leaking the installer's hostname, OS username, platform,...

5.5AI score

Exploits0References1

Github Security Blog•added 2026/05/29 6:20 p.m.•11 views

NodeVM observability builtins leak host process and HTTP request data

Summary NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The following builtins are not blocked by the dangerous builtin denylist: text diagnosticschannel asynchooks perfhooks These modules are process-wide, not sandbox-local. Sandboxed code c...

6.9CVSS5.8AI score0.0004EPSS

Exploits0References5Affected Software1

OSV•added 2026/05/29 6:20 p.m.•6 views

GHSA-9G8X-92Q2-P28F NodeVM observability builtins leak host process and HTTP request data

8.2CVSS5.8AI score0.0004EPSS

Exploits0References5

Positive Technologies•added 2026/05/29 12:0 a.m.•8 views

PT-2026-45023

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4 Description NodeVM exposes process-wide observability builtins when they are permitted via require.builtin. Specifically, the diagnostics channel, async hooks, and perf hooks modules are not included in the dangero...

6.9CVSS5.3AI score0.0004EPSS

Exploits0References6

Github Security Blog•added 2026/05/23 12:18 a.m.•14 views

Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user ...

6.5CVSS5.8AI score0.00031EPSS

Exploits0References2Affected Software1

AstraLinux•added 2026/05/20 5:53 a.m.•4 views

Astra Linux - уязвимость в linux

A flaw was discovered in the KVM’s AMD code, responsible for supporting SVM nested virtualization. The flaw occurs during the processing of the VMCB virtual machine control block provided by the L1 guest, which is used to spawn or handle a nested guest L2. Due to improper validation of the “intct...

8.8CVSS6.8AI score0.00015EPSS

Exploits1References2

OSSF Malicious Packages•added 2026/05/12 7:43 a.m.•9 views

Malicious code in crazehub (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075 crazehub/init.py performs multiple user-hostile actions at import time. Lines 2-3 unconditionally run os.system"pip install phonenumbers" and...

6AI score

Exploits0References1

OSV•added 2026/04/28 6:30 p.m.•4 views

GHSA-QPV2-RWC8-C993 Netmaker does not verify JWT signatures for host tokens

Netmaker by Gravitl is an open-source WireGuard-based networking platform for creating and managing virtual overlay networks. The VerifyHostToken function in logic/jwts.go does not validate the JWT signature when verifying host tokens. After calling jwt.ParseWithClaims, the function only checks...

9.2CVSS5.8AI score0.001EPSS

Exploits1References4

RedhatCVE•added 2026/04/13 4:47 p.m.•6 views

CVE-2026-39977

A flaw was found in flatpak-builder. A specially crafted manifest or source can bypass path restrictions by using symbolic links within the license-files field, allowing the builder to follow paths outside the intended source directory, reading arbitrary files from the host system and including...

7.1CVSS5.8AI score0.00035EPSS

Exploits1References4

Tenable Nessus•added 2026/01/16 12:0 a.m.•2 views

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-001335)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001335 advisory. A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB virtual machine control block provided by t...

8.8CVSS6.5AI score0.00015EPSS

Exploits1References4

Ubuntu•added 2026/01/09 7:30 p.m.•6 views

USN-7940-2: Linux kernel (Azure, N-Series) vulnerabilities

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this t...

8.8CVSS7.4AI score0.00135EPSS

Exploits10

Ubuntu•added 2025/12/17 8:58 p.m.•7 views

USN-7940-1: Linux kernel (Azure FIPS) vulnerabilities

8.8CVSS7.4AI score0.00135EPSS

Exploits10

OSV•added 2025/12/16 10:25 p.m.•4 views

USN-7939-2 linux-azure-fips vulnerabilities

7.8CVSS6.9AI score0.00135EPSS

Exploits8References24

Ubuntu•added 2025/12/16 2:52 p.m.•4 views

USN-7938-1: Linux kernel (Azure) vulnerabilities