CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 5 days ago•13 views

Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators

Summary The /api/v1/users/super endpoint enforces a restriction that only one super user Instance Administrator can be created during initial setup. However, due to a Time-of-Check-Time-of-Use TOCTOU race condition in the signupAndLoginSuper method, concurrent requests can bypass this restriction...

5.3AI score

Exploits0References3Affected Software1

OSV•added 5 days ago•4 views

GHSA-9WCP-79G5-5C3C Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators

8.1CVSS5.4AI score

Exploits0References3

Vulnrichment•added 5 days ago•7 views

CVE-2026-41568 Moby: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitra...

6.1CVSS5.3AI score0.001EPSS

OSSF Malicious Packages•added 5 days ago•5 views

Malicious code in flexitest (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 17f4bae10d193f8128f50dd3010d283dc89016fa468fc8d9b428b5183c505b27 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

OSV•added 5 days ago•6 views

MAL-2026-5702 Malicious code in flexitest (PyPI)

OSSF Malicious Packages•added 5 days ago•5 views

Malicious code in nagios-xi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f On import nagiosxi, the package's init.py lines 5-8 invokes socket.gethostbyname"atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun" inside a...

6.1AI score

OSV•added 5 days ago•3 views

MAL-2026-5698 Malicious code in nagios-xi (PyPI)

6.1AI score

OSSF Malicious Packages•added 5 days ago•5 views

Malicious code in jec (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cfd390b5ea0fe558bd7f5fd56dec8386148e58d7f8d4b6bba14f8a2aa8b6d323 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

OSV•added 5 days ago•4 views

MAL-2026-5684 Malicious code in jec (PyPI)

GithubExploit•added 6 days ago•38 views

RISC-V-In-Proactive-computer-Security-PCS-

Exploring RISC-V in Proactive Computer Security PCS PUK pro...

5.4AI score

Exploits0

GithubExploit•added 6 days ago•40 views

RISC-V-In-Proactive-computer-Security-PCS

Exploring RISC-V in Proactive Computer Security PCS PUK pro...

5.4AI score

Exploits0

NVD•added 6 days ago•11 views

CVE-2026-49973

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS

Cvelist•added 6 days ago•23 views

CVE-2026-53819 OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override

OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill...

8.8CVSS0.00298EPSS

CVE•added 6 days ago•11 views

CVE-2026-53819

OpenClaw prior to 2026.5.27 is affected by an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can cause OpenClaw to execute unintended Homebrew-compatible ...

8.8CVSS6.2AI score0.00298EPSS

Exploits0References2Affected Software1

Cvelist•added 6 days ago•23 views

CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

9.4CVSS0.00543EPSS

CVE•added 6 days ago•10 views

CVE-2026-49973

CVE-2026-49973 affects Hermes WebUI prior to version 0.51.358. The issue is an improper access control in the settings API that allows unauthenticated remote attackers to hijack the initial setup by posting to the /api/settings endpoint using the _set_password parameter without origin restriction...

9.4CVSS5.7AI score0.00543EPSS

EUVD•added 6 days ago•7 views

EUVD-2026-36306

9.4CVSS5.7AI score0.00543EPSS

Github Security Blog•added 6 days ago•7 views

Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...

5.8AI score0.00047EPSS

Exploits0References3Affected Software1

OSSF Malicious Packages•added 6 days ago•6 views

Malicious code in bibip-bip (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2b153c90d83d4653660dd79a5a0935af85bd804fd98163c42995403bca240a6 pyproject.toml declares a PEP 517 build requirement that points to an arbitrary tarball hosted on webhook.site, an anonymous request-inspection /...

6.3AI score