Lucene search
K

2270 matches found

NVD
NVD
added 6 days ago8 views

CVE-2026-5952

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite...

4.3CVSS0.00195EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-5796 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...

4.3CVSS0.00193EPSS
Exploits0References3
CVE
CVE
added 6 days ago89 views

CVE-2026-5796

GitLab CE/EE contains a fixed vulnerability (CVE-2026-5796) that could allow an authenticated user with Reporter-level group permissions to view package metadata from projects when the Package Registry is disabled. Affected versions include all 13.6.x prior to 18.11.6, 19.0.x prior to 19.0.3, and...

4.3CVSS5.9AI score0.00193EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 6 days ago4 views

GitLab 13.6 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-5796)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an...

4.3CVSS5.9AI score0.00193EPSS
Exploits0References5
NVD
NVD
added 2026/06/21 2:16 p.m.11 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.7 views

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:27 p.m.22 views

CVE-2026-56397

CVE-2026-56397 affects SiYuan prior to v3.6.1 where Bazaar marketplace metadata and README aren’t sanitized, allowing malicious authors to inject HTML/JavaScript. This can enable remote code execution on users browsing Bazaar by embedding XSS payloads in displayName, description, or README, takin...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/21 1:27 p.m.32 views

CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:27 p.m.21 views

CVE-2026-56395

SiYuan exposes a vulnerability (CVE-2026-56395) where SieYuan versions prior to 3.6.1 fail to sanitize Bazaar marketplace metadata and README content, enabling arbitrary HTML/JavaScript injection. The underlying issue is improper sanitization of package displayName, description, or README fields,...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.6 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.17 views

PT-2026-51236

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1 Description SiYuan fails to sanitize package metadata and README content within the Bazaar marketplace. This allows malicious authors to inject arbitrary HTML and JavaScript into the displayName, description, or...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References7
OSV
OSV
added 2026/06/19 3:11 p.m.8 views

GHSA-VMHF-C436-HXJ4 JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...

5.1CVSS5.9AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/09 4:6 p.m.11 views

Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/09 4:6 p.m.8 views

MAL-2026-5393 Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...

5.5AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/22 6:9 a.m.11 views

Malicious code in @druids/ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 071ce35c0d6a17c606e5448f4c485228df973342935b0a11519304050877edf5 The package's package.json declares a dependency ltidisafe resolved not from the npm registry but as a direct tarball URL:...

5.9AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 8:42 p.m.11 views

Malicious code in configcat-trello-powerup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host identifiers os.hostname,...

5.8AI score
Exploits0References1
Snyk
Snyk
added 2026/05/20 7:7 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of unescaped name and version metadata fields. An attacker can execute arbitrary scripts or code within the application context by submitting specially crafted package metadata. Details...

9CVSS5.8AI score0.00361EPSS
Exploits0References3
Veracode
Veracode
added 2026/05/16 5:25 a.m.10 views

OS Command Injection

Fleet is vulnerable to Command Injection. The vulnerability is due to improper sanitization of software package metadata used in auto-generated uninstall scripts, allowing specially crafted package metadata to inject and execute arbitrary commands with elevated privileges root on macOS/Linux or...

9.8CVSS6AI score0.00773EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.10 views

CVE-2026-26191

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. When a...

9.8CVSS6.2AI score0.00773EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 8:17 p.m.7 views

CVE-2026-26191

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. When a...

9.8CVSS0.00773EPSS
Exploits0References2
Rows per page
Query Builder