CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•10 views

Malicious code in @antv/g-plugin-image-loader (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•11 views

Malicious code in jest-less-loader (npm)

OSV•added 2026/05/19 12:0 a.m.•3 views

MAL-2026-4142 Malicious code in jest-url-loader (npm)

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•7 views

Malicious code in jest-url-loader (npm)

vulnersOsv•added 2026/05/18 9:0 p.m.•1 views

@jason_mao/mao-ui (=0.0.1), aim-testing (>=0.0.5 <=0.0.8) potentially affected by unknown CVE via jest-less-loader (=0.2.0)

jest-less-loader NPM version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on jest-less-loader and may be impacted: - @jasonmao/mao-ui =0.0.1 - aim-testing =0.0.5, =0.0.8 Source cves: unknown CVE Source advisory: SNYK:JS-JESTLESSLOADER-16754444...

5.5AI score

vulnersOsv•added 2026/05/18 9:0 p.m.•2 views

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +15 more potentially affected by unknown CVE via @antv/g-plugin-image-loader (>=2.0.0 <=2.3.1)

@antv/g-plugin-image-loader NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINIMAGELOADER-16754987...

5.5AI score

vulnersOsv•added 2026/05/18 9:0 p.m.•2 views

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +15 more potentially affected by unknown CVE via @antv/g-plugin-image-loader (>=2.0.0 <=2.3.1)

5.5AI score

OSV•added 2026/05/18 3:38 p.m.•2 views

GHSA-C55G-RP4X-FX84 Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds

Impact The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE. This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files. Note this only applies to x86/ARM builds of the library. ARM64 and...

6.9CVSS5.8AI score

Exploits0References4

OSSF Malicious Packages•added 2026/05/18 9:10 a.m.•8 views

Malicious code in secure-env-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fb7787215b2967bfcddab47d96770b6d2ec2e1328ea2ef789e003aa53de4960 The package secure-env-loader was found to contain malicious code. Source: ghsa-malware...

OSV•added 2026/05/18 9:10 a.m.•4 views

Exploits0References1

MAL-2026-3826 Malicious code in secure-env-loader (npm)

Snyk•added 2026/05/18 9:10 a.m.•3 views

Exploits0References1

Malicious Package

Overview secure-env-loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score

Exploits0References2

OSV•added 2026/05/16 10:16 p.m.•4 views

UBUNTU-CVE-2026-46728

Das U-Boot before 2026.04 allows FIT Flat Image Tree signature verification bypass because hashed-nodes is omitted from a hash...

UbuntuCve•added 2026/05/16 10:16 p.m.•5 views

Exploits0References4

CVE-2026-46728

Das U-Boot before 2026.04 allows FIT Flat Image Tree signature verification bypass because hashed-nodes is omitted from a hash...

CVE•added 2026/05/16 9:26 p.m.•12 views

Exploits0References3

CVE-2026-46728

The CVE-2026-46728 entry concerns U-Boot (before 2026.04) where FIT (Flat Image Tree) signature verification can bypass trust because hashed-nodes are omitted from a hash. Affected software: U-Boot (pre-2026.04). Vulnerable component: FIT signature verification process. Root cause: omission of ha...

Cvelist•added 2026/05/16 9:26 p.m.•34 views

Exploits0References2

CVE-2026-46728

Das U-Boot before 2026.04 allows FIT Flat Image Tree signature verification bypass because hashed-nodes is omitted from a hash...

8.2CVSS0.00004EPSS

Exploits0References2

Positive Technologies•added 2026/05/16 12:0 a.m.•8 views

PT-2026-41468

Name of the Vulnerable Software and Affected Versions Das U-Boot versions prior to 2026.04 Description Das U-Boot allows a Flat Image Tree FIT signature verification bypass. This occurs because hashed-nodes are omitted from a hash, which can lead to the acceptance of unsigned or modified images...

OSSF Malicious Packages•added 2026/05/14 7:25 p.m.•9 views

Malicious code in chai-as-regulated (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67f7f8d21f5d33db136b1e10fc7fbb6d2a1540240911b0630e7fc9f8724c7b26 Package is published as chai-as-regulated, a name mimicking the widely-used chai-as-promised Chai plugin, and the README instructs users to register ...

The Hacker News•added 2026/05/14 2:0 p.m.•9 views

Exploits0References1

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particular...

6AI score