Lucene search
K

105 matches found

OSV
OSV
added 2025/09/15 7:21 p.m.13 views

CVE-2025-59331 [email protected] contains malware after npm account takeover

is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to...

8.8CVSS6.7AI score0.00378EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2025/09/12 12:21 p.m.4 views

CVE-2025-40725

Reflected Cross-Site Scripting XSS vulnerability in Azon Dominator. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the “q” parameter in /search via GET. This vulnerability can be exploited to steal sensitive user data...

5.1CVSS6.1AI score0.00306EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/08/14 3:49 p.m.12 views

CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...

7.1CVSS7.3AI score0.00188EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/08/13 12:0 a.m.13 views

CVE-2025-45315

A cross-site scripting XSS vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter...

0.00238EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2025/08/08 12:0 a.m.17 views

PT-2025-32422 · Workos · Authkit

Name of the Vulnerable Software and Affected Versions: @workos-inc/authkit-remix versions 0.14.1 and below Description: The AuthKit library for Remix exposed sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader, causing them to...

7.1CVSS6.3AI score0.00364EPSS
Exploits0References10
Packet Storm News
Packet Storm News
added 2025/06/04 12:0 a.m.11 views

Client-Side Zero-Shot LLM Inference for Comprehensive In-Browser URL Analysis

Malicious websites and phishing URLs pose an ever-increasing cybersecurity risk, with phishing attacks growing by 40% in a single year. Traditional detection approaches rely on machine learning classifiers or rule-based scanners operating in the cloud, but these face significant challenges in...

7.4AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 5:52 a.m.4 views

CVE-2023-22654

Client-side enforcement of server-side security issue exists in T Corporation and ESPEC MIC CORP. data logger products, which may lead to an arbitrary script execution on a logged-in user's web browser. Affected products and versions are as follows: T Corporation data logger products TR-71W/72W a...

5.4CVSS6.9AI score0.00508EPSS
Exploits0References1
Packet Storm News
Packet Storm News
added 2025/05/05 12:0 a.m.9 views

Dynamic Graph-Based Fingerprinting of In-Browser Cryptomining

The decentralized and unregulated nature of cryptocurrencies, combined with their monetary value, has made them a vehicle for various illicit activities. One such activity is cryptojacking, an attack that uses stolen computing resources to mine cryptocurrencies without consent for profit...

7.2AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/02/04 10:55 p.m.6 views

CVE-2024-26313

Archer Platform 6.x before 6.14 P2 HF2 6.14.0.2.2 contains a stored cross-site scripting XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data...

7.3CVSS5.2AI score0.00505EPSS
Exploits0References1
CISA KEV Catalog
CISA KEV Catalog
added 2025/01/23 12:0 a.m.19 views

JQuery Cross-Site Scripting (XSS) Vulnerability

JQuery contains a persistent cross-site scripting XSS vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser...

6.9CVSS6.1AI score0.8383EPSS
In wildExploits6
OSV
OSV
added 2024/02/15 3:22 p.m.3 views

GHSA-CC65-XXVF-F7R9 Scrapy vulnerable to ReDoS via XMLFeedSpider

Impact The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack: - The XMLFeedSpider class or any subclass that uses the default node iterator: iternodes, as well as direct uses of the scrapy.utils.iterators.xmliter function. - Scrapy 2.6.0 to 2.11.0: The openinbrowser...

7.5CVSS6.8AI score0.00553EPSS
Exploits1References8
CNNVD
CNNVD
added 2023/12/26 12:0 a.m.10 views

Alfasado PowerCMS Security Vulnerability

Alfasado PowerCMS is a content management system CMS from Alfasado Japan. A security vulnerability exists in Alfasado PowerCMS, which originates from a stored cross-site scripting XSS vulnerability. The vulnerability can be exploited by an attacker to execute arbitrary script in a logged-in user'...

5.4CVSS6.1AI score0.00298EPSS
Exploits0References3
OSV
OSV
added 2023/11/29 5:15 p.m.6 views

CVE-2023-6217

In Progress MOVEit Transfer versions released before 2022.0.9 14.0.9, 2022.1.10 14.1.10, 2023.0.7 15.0.7, a reflected cross-site scripting XSS vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting...

6.1CVSS5.6AI score0.00511EPSS
Exploits0References2
CNNVD
CNNVD
added 2023/09/05 12:0 a.m.6 views

A.K.I Software PMailServer Security Vulnerability

A.K.I Software PMailServer is an email server from A.K.I Software, Japan. A security vulnerability exists in A.K.I Software PMailServer and PMailServer2, which stems from a stored cross-site scripting vulnerability that can be exploited by an attacker to execute arbitrary script on a logged-in...

5.4CVSS6.4AI score0.00297EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2023/05/29 7:14 a.m.4 views

Don't Click That ZIP File! Phishers Weaponizing .ZIP Domains to Trick Victims

A new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain. "With this phishing attack, you simulate a file archiver software e.g., WinRAR in the browser and use a .zip domain to make it...

6.2AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2023/05/23 2:15 a.m.5 views

CVE-2023-22654

Client-side enforcement of server-side security issue exists in T&D Corporation and ESPEC MIC CORP. data logger products, which may lead to an arbitrary script execution on a logged-in user's web browser. Affected products and versions are as follows: T&D Corporation data logger products TR-71W/7...

5.4CVSS7.1AI score0.00508EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2023/05/05 11:49 a.m.3 views

Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN

Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019. "The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter...

6.1AI score
Exploits0
Rapid7 Blog
Rapid7 Blog
added 2022/08/25 4:36 p.m.14 views

[The Lost Bots] S02E03: Browser-in-Browser Attacks — Don't Get (Cat)-Phished

!\The Lost Bots\ S02E03: Browser-in-Browser Attacks — Don't Get \Cat-Phishedhttps://blog.rapid7.com/content/images/2022/08/The-Lost-Bots-logo-large.png Welcome back to The Lost Bots! In our latest episode, we're talking about phishing attacks — but not your standard run-of-the-mill version...

0.1AI score
Exploits0
Positive Technologies
Positive Technologies
added 2022/08/11 12:0 a.m.4 views

PT-2022-14566 · Google · Android

Name of the Vulnerable Software and Affected Versions: Android versions Android-13 Description: The issue concerns a missing permission check in the SELinux policy, which could allow local information disclosure about the websites being opened in the browser. This can be exploited without...

3.3CVSS3.7AI score0.00094EPSS
Exploits0References2
NVD
NVD
added 2022/06/02 2:15 p.m.32 views

CVE-2021-34083

Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially...

9.3CVSS0.01924EPSS
Exploits1References3
Rows per page
Query Builder