Lucene search
+L

1167 matches found

OSV
OSV
added 2026/05/19 12:0 a.m.8 views

MAL-2026-4025 Malicious code in @antv/graphin-icons (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/05/18 9:0 p.m.8 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.7 views

@antv/gi-assets-advance (>=1.0.0 <=2.5.22), @antv/gi-assets-basic (>=1.0.0 <=2.4.40) +15 more potentially affected by unknown CVE via @antv/graphin-icons (=1.0.0)

@antv/graphin-icons NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/graphin-icons and may be impacted: - @antv/gi-assets-advance =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.0.4, =0.0.1, =0.1.0, =1.0.4, =1.0.11, =0.2.6-beta.4,...

5.5AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.8 views

@antv/gi-assets-advance (>=1.0.0 <=2.5.22), @antv/gi-assets-basic (>=1.0.0 <=2.4.40) +15 more potentially affected by unknown CVE via @antv/graphin-icons (=1.0.0)

@antv/graphin-icons NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/graphin-icons and may be impacted: - @antv/gi-assets-advance =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.0.4, =0.0.1, =0.1.0, =1.0.4, =1.0.11, =0.2.6-beta.4,...

5.5AI score
Exploits0
NVD
NVD
added 2026/05/12 9:16 a.m.15 views

CVE-2026-7659

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00242EPSS
Exploits0References4
CVE
CVE
added 2026/05/12 7:48 a.m.18 views

CVE-2026-7659

The CVE-2026-7659 entry concerns the WordPress plugin Advanced Social Media Icons (versions

6.4CVSS6AI score0.00242EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/12 7:48 a.m.9 views

CVE-2026-7659 Advanced Social Media Icons <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00242EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.9 views

WordPress plugin Advanced Social Media Icons 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

6.4CVSS5.8AI score0.00242EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.21 views

PT-2026-39975

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00242EPSS
Exploits0References5
NVD
NVD
added 2026/05/11 10:22 p.m.46 views

CVE-2026-42564

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS0.00318EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/11 9:17 p.m.69 views

CVE-2026-42564 jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS0.00318EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/11 9:17 p.m.19 views

EUVD-2026-29329

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS5.8AI score0.00318EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/11 9:17 p.m.6 views

CVE-2026-42564

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS5.8AI score0.00318EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/11 9:17 p.m.10 views

CVE-2026-42564 jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS5.8AI score0.00318EPSS
Exploits0References1
CVE
CVE
added 2026/05/11 9:17 p.m.24 views

CVE-2026-42564

CVE-2026-42564 affects jotty.page (self-hosted notes/checklists app). Before version 1.22.0, there is an unauthenticated path traversal in the /api/app-icons/[filename] endpoint: the filename parameter is directly joined into a filesystem path without traversal/boundary validation, allowing reads...

8.2CVSS5.8AI score0.00318EPSS
Exploits0References1
OSV
OSV
added 2026/05/11 9:17 p.m.3 views

CVE-2026-42564 jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

8.2CVSS6AI score0.00318EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/05/11 7:3 p.m.9 views

WordPress Advanced Social Media Icons plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Advanced Social Media Icons versions = 1.2...

6.4CVSS5.8AI score0.00242EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.30 views

PT-2026-39853

Name of the Vulnerable Software and Affected Versions jotty·page versions prior to 1.22.0 Description An unauthenticated path traversal issue exists in the '/api/app-icons/filename' endpoint. The filename route parameter is joined into a filesystem path without proper traversal or boundary...

8.2CVSS5.8AI score0.00318EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/10 3:31 p.m.10 views

EUVD-2021-34783

AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execut...

6.4CVSS5.7AI score0.00239EPSS
Exploits0References5
NVD
NVD
added 2026/05/10 1:16 p.m.16 views

CVE-2021-47910

AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execut...

6.4CVSS0.00239EPSS
Exploits0References4
Rows per page
Query Builder