CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

319 matches found

OSSF Malicious Packages•added 2026/05/21 9:6 a.m.•9 views

Malicious code in http-uploader-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out...

6.2AI score

Exploits0References7

NVD•added 2026/04/29 7:16 p.m.•5 views

CVE-2026-7439

AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...

4.8CVSS0.00089EPSS

Exploits0References3

CVE•added 2026/03/24 3:7 p.m.•8 views

CVE-2026-33335

CVE-2026-33335 affects Vikunja Desktop (Electron wrapper). From version 0.21.0 up to before 2.2.0, the wrapper forwards URLs from window.open() directly to shell.openExternal() without validation or protocol allowlisting. This enables an attacker who can inject a link that triggers window.open (e...

8CVSS5.9AI score0.00248EPSS

Exploits1References2Affected Software1

OSV•added 2026/02/17 4:31 a.m.•7 views

MAL-2026-928 Malicious code in polyutil (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 31a0fc68eee0841a78740fd3e3748171612b871b58bf9f3e52b4fa35bed64774 The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code ...

6.4AI score

Exploits0References6

OSV•added 2026/02/16 11:40 p.m.•9 views

MAL-2026-927 Malicious code in polyclawd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1f994af0e1b17c0d30e950a5aef9a45d8e34f6f59ab45fadddb05b340ed5cdad The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code ...

6.4AI score

Exploits0References6