CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/25 8:18 p.m.•4 views

MAL-2026-4396 Malicious code in @izumiswap/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63bd0a7aaa4ac18d8ae0c57c07bec05cb4f69e8650e77c117d11c048e5cec004 On npm install, scripts/postinstall.js runs as the preinstall/postinstall lifecycle hook and performs an unambiguous install-time RCE. It first...

Cvelist•added 2026/05/25 7:30 p.m.•16 views

CVE-2026-48849

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes...

4.4CVSS0.00033EPSS

Debian CVE•added 2026/05/25 7:30 p.m.•7 views

CVE-2026-48849

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes...

4.4CVSS5.8AI score0.00033EPSS

Exploits0

CVE•added 2026/05/25 7:0 p.m.•14 views

CVE-2026-9484

Affected software : SourceCodester Student Grades Management System 1.0. Vulnerability : In classroom.php, the functions getClassroomStudents and removeStudentFromClassroom can be manipulated by altering the classroom_id argument, leading to improper authorization. The issue is exploitable remote...

6.5CVSS6.4AI score0.00048EPSS

Exploits0References7

OSV•added 2026/05/25 6:12 p.m.•5 views

MAL-2026-4378 Malicious code in @databus-service-ui/scroll-up-content (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02414b019347c91f59a506d88dffc19306c7c287936df0d42327ad6b32eb0bf2 scripts/postinstall.js performs two independent attacker-benefit actions when npm install runs. First, it scrapes installer-side secrets — environmen...

OSSF Malicious Packages•added 2026/05/25 6:11 p.m.•7 views

Malicious code in @service-suppliers/suppliers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a79ca8ef6257be2fbac9c361b969d9e63ce6a833e42dafa4b558e1f805276502 On npm install, scripts/postinstall.js performs two attacker-benefit actions against the installer. First, it scrapes installer-side credentials: it...

OSSF Malicious Packages•added 2026/05/25 6:7 p.m.•7 views

Malicious code in @service-suppliers/select-supplier-watcher-saga (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3829c1a8be4ed51ad5c9d714d223cb037f7d76df868b73e63c69c6c60ff8dbf3 On npm install, scripts/postinstall.js fetches a platform-specific script from https://oob.moika.tech/payload/linux|mac|win, writes it to the OS temp...

OSV•added 2026/05/25 6:7 p.m.•3 views

MAL-2026-4436 Malicious code in @service-suppliers/select-supplier-watcher-saga (npm)

CVE•added 2026/05/25 4:45 p.m.•15 views

CVE-2026-9475

Totolink A8000RU Web Management interface vulnerable in /cgi-bin/cstecgi.cgi (function setIpQosRules). CVE-2026-9475 affects Totolink A8000RU 7.1cu.643_b20200521; manipulating the Comment argument enables OS command injection. Remote exploitation is possible; exploit publicly disclosed. According...

10CVSS7AI score0.01254EPSS

NVD•added 2026/05/25 4:16 p.m.•11 views

CVE-2026-9469

A weakness has been identified in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. The impacted element is an unknown function of the file /success.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. T...

7.5CVSS0.00039EPSS

OSV•added 2026/05/25 3:35 p.m.•4 views

MAL-2026-4404 Malicious code in @loans/vehicles-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e2b702fc2de01ebe69a6d2baa4766782db91842f096c04b4b5d019105cd91b @loans/vehicles-api is a dependency-confusion package targeting an internal @loans npm scope claimed homepage docs.loans.io, README directs users to ...

6.1AI score

OSSF Malicious Packages•added 2026/05/25 2:16 p.m.•6 views

Malicious code in wml-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46afe229d6efe1ef10d025302ed21e5c2c44bdd772c8fbb28d037cb1215c84ba [email protected] is a dependency-confusion package targeting an internal wml- namespace, published with an inflated version 99.0.1 to win npm resoluti...

5.9AI score

Exploits0References1

OSV•added 2026/05/25 2:16 p.m.•5 views

MAL-2026-4731 Malicious code in wml-core (npm)

5.9AI score

Exploits0References1

EUVD•added 2026/05/25 2:15 p.m.•8 views

EUVD-2018-21897

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and acce...

8.7CVSS5.9AI score0.00683EPSS

OSV•added 2026/05/25 1:57 p.m.•7 views

MAL-2026-4587 Malicious code in intl-ads (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7e29be11c53c137c2a24258ae423cf422fefcaad06183d67aa5c895a8fe4801 On npm install, the package's scripts.preinstall runs poc.js which collects hostname, username, full network configuration ipconfig/ip a/resolv.conf,...

5.9AI score

OSV•added 2026/05/25 1:57 p.m.•5 views

MAL-2026-4688 Malicious code in tempo-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839 On npm install, the preinstall script poc.js collects host identity hostname, username, OS/platform, network configuration ipconfig / ip a /...

OSSF Malicious Packages•added 2026/05/25 1:57 p.m.•7 views

Malicious code in tempo-shared-modules (npm)