CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 6 hours ago•3 views

EUVD-2026-39489

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm install in non-frozen mode can accept new remote package content after detecting that the downloaded tarball does not match the integrity recorded in pnpm-lock.yaml. When a package is already locked with an integrity value, and the...

6.8CVSS5.9AI score0.00017EPSS

Cvelist•added 6 hours ago•5 views

CVE-2026-55487 pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator...

7.5CVSS

ATTACKERKB•added 6 hours ago•2 views

CVE-2026-54448

Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive .tgz, its custom tar unpacker reads each entry with io.ReadAlltr and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to...

6.9CVSS5.8AI score

Exploits0References3Affected Software1

OSSF Malicious Packages•added 3 days ago•7 views

Malicious code in node-fetch-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308 On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host node22.lunes.host:3258, authenticates with a 5-minute rolling HMAC-SHA256 token,...

5.8AI score

Exploits0References8

OSV•added 2026/06/12 8:8 p.m.•168 views

GHSA-GV7W-RQVM-QJHR Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Withdrawn Advisory This advisory has been withdrawn because the affected package was incorrectly identified and the actual affected package is not in a supported ecosystem. This link is maintained to preserve external references. Original Description Summary The esbuild Deno module lib/deno/mod.t...

8.1CVSS6.1AI score

OSSF Malicious Packages•added 2026/06/10 5:38 p.m.•8 views

Malicious code in firefly-utilities-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cadcdda902675162dd9cfabd9d8133986723d4c956437633f36a5a07b776ef59 [email protected] ships an empty stub index.js: module.exports = ; with no description, author, or repository, but declares a single...

OSV•added 2026/06/10 5:38 p.m.•9 views

MAL-2026-5517 Malicious code in firefly-utilities-helper (npm)

NVD•added 2026/06/10 3:16 p.m.•11 views

CVE-2026-53476

A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network LAN, can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. Thi...

9.6CVSS0.00291EPSS

CVE•added 2026/06/10 1:55 p.m.•15 views

CVE-2026-53476

The CVE-2026-53476 vulnerability affects the assisted-migration-agent and is triggered by an unauthenticated attacker on the same LAN who crafts a gzipped tarball to exploit a path traversal flaw, bypassing security checks and writing arbitrary files to the system. This leads to potential unautho...

Exploits0References3Affected Software1

Cvelist•added 2026/06/10 1:55 p.m.•33 views

CVE-2026-53476 Assisted-migration-agent: vddk tarball chained-symlink arbitrary file write

9.6CVSS0.00291EPSS

EUVD•added 2026/06/10 1:55 p.m.•10 views

EUVD-2026-36033

RedhatCVE•added 2026/06/10 1:55 p.m.•11 views

CVE-2026-53476

Positive Technologies•added 2026/06/10 12:0 a.m.•9 views

Exploits0References4

PT-2026-48449

OSV•added 2026/06/09 5:29 p.m.•8 views

Exploits0References4

MAL-2026-5456 Malicious code in via-city-tools-m-particle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc5c4f690e0399edc4408e7729291803db7916ed764bcfe16988f4cdccd5cfc1 The package exports an empty object module.exports = and has no functionality of its own. Its only substantive effect is to declare a dependency on...

OSSF Malicious Packages•added 2026/06/09 5:29 p.m.•9 views

Malicious code in via-city-tools-m-particle (npm)

OSSF Malicious Packages•added 2026/06/09 5:29 p.m.•11 views

Malicious code in ui-ng-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 198750c8e5d6f4d8a3f3f788a2fd9286f43b5a447bb0e3495b50663c44ddd2a7 Package [email protected] is an empty shell index.js exports , no author, no description, no functionality with a single dependency declared as...

OSV•added 2026/06/09 5:29 p.m.•10 views

MAL-2026-5454 Malicious code in ui-ng-components (npm)

OSSF Malicious Packages•added 2026/06/09 5:27 p.m.•6 views

Malicious code in uipath-sugar-sell (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f Package [email protected] exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace,...

5.5AI score

OSV•added 2026/06/09 5:27 p.m.•6 views

MAL-2026-5455 Malicious code in uipath-sugar-sell (npm)

5.5AI score