Lucene search
+L

175 matches found

OSV
OSV
added 3 days ago8 views

MAL-2026-10713 Malicious code in @hibachi-xyz/config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2012c3b3a43f28209edf1c4b6fdbb0477c7c31f7574e37293cf7dd324f7f1e2f On require of the package's main entry, top-level code enumerates process.env and collects values whose keys match a credential-shaped regex KEY,...

6.1AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago13 views

Malicious code in chain-sdk-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cb94ce743d92fe81015db70380ba325e78e4271b78689a9a6998cda4e6bdc038 chain-sdk-js is a typosquat of @thetalabs/theta-js package name, description, author 'Theta Labs', and bundle filenames thetajs.cjs.js/thetajs.umd.js...

6.2AI score
Exploits0References6
GithubExploit
GithubExploit
added 2026/06/30 6:29 p.m.67 views

Exploit for CVE-2026-46331

CVE-2026-46331 pedit COW – Linux LPE Validation and auditd/App...

7.8CVSS5.7AI score0.00321EPSS
Exploits11
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/26 9:40 p.m.9 views

Malicious code in express-initial (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095 package.json declares "postinstall": "node index.js", so npm install express-initial automatically runs the package's main script. index.js is heavil...

6AI score
Exploits0References5
NVD
NVD
added 2026/06/22 4:17 a.m.14 views

CVE-2026-6645

An insecure process execution vulnerability exists in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The application, which typically operates with high-level system privileges, attempts to perform an internal validation check by invoking a secondary system...

7.3CVSS0.00136EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:0 p.m.23 views

CVE-2026-42851

CVE-2026-42851 (Kitty terminal) : In versions prior to 0.47.0, a program that writes bytes to a Kitty terminal can trigger execution of attacker-supplied Python inside the Kitty process with the user’s privileges. This is a local issue with high impact to confidentiality, integrity, and availabil...

7.8CVSS5.6AI score0.00164EPSS
Exploits1References1Affected Software1
Packet Storm News
Packet Storm News
added 2026/06/11 12:0 a.m.9 views

Falco 0.44.1

Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco...

5.3AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/29 5:51 p.m.19 views

vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass

Summary A sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending. In the tested configuration, a JSPI-backed Promise can reach...

9.8CVSS6.4AI score0.00507EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/05/29 5:40 p.m.14 views

Improper Control of Dynamically-Managed Code Resources

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the localPromise constructor in lib/setup-sandbox.js. An attacker can obtain a host-realm...

10CVSS6AI score0.0051EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 7:5 p.m.14 views

Malicious code in clsx-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...

6.2AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 6:48 p.m.11 views

Malicious code in xorma-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260 On require'xorma-js', a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via childprocess.execSync...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/05/19 6:48 p.m.13 views

MAL-2026-4734 Malicious code in xorma-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260 On require'xorma-js', a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via childprocess.execSync...

5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 3:54 a.m.7 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the proxy trap methods in createBridge in the bridge handler code. An attacker can leak a handler...

10CVSS6.2AI score0.00815EPSS
Exploits1References2
CVE
CVE
added 2026/04/28 6:9 p.m.31 views

CVE-2026-41373

OpenClaw vulnerable before 2026.3.31 due to an incomplete host-env-security-policy.json that does not restrict compiler environment variables. This allows untrusted models to substitute compiler binaries (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) via environment overrides when an approved hos...

6.1CVSS5.8AI score0.0013EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.12 views

PT-2026-33862

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code...

8.5CVSS6.3AI score0.00133EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/13 8:45 p.m.5 views

CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...

5.3CVSS5.4AI score0.00683EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/31 10:58 p.m.5 views

CVE-2026-28228

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed...

8.8CVSS5.9AI score0.00414EPSS
Exploits0References1
CVE
CVE
added 2026/03/30 5:0 p.m.11 views

CVE-2026-5125

The vulnerability CVE-2026-5125 affects raine consult-llm-mcp up to 2.5.3, specifically the function child_process.execSync in src/server.ts. Manipulating git_diff.base_ref/git_diff.files can lead to OS command injection with local access. A public exploit exists and upgrading to 2.5.4 (patch 4ab...

5.3CVSS5.8AI score0.0083EPSS
Exploits0References8
OSV
OSV
added 2026/03/25 6:31 p.m.6 views

GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

9.8CVSS5.9AI score0.02421EPSS
Exploits4References7
OSV
OSV
added 2026/03/25 3:31 p.m.9 views

GHSA-Q5MH-72XG-628W pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...

9.8CVSS5.9AI score0.02493EPSS
Exploits4References3
Rows per page
Query Builder