CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/21 10:33 p.m.•3 views

MAL-2026-4540 Malicious code in crypt0co-walet-poc (npm)

6AI score

Github Security Blog•added 2026/05/21 8:33 p.m.•9 views

MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...

6AI score

Exploits0References2Affected Software1

OSV•added 2026/05/21 8:33 p.m.•3 views

GHSA-CR22-WJX7-2W6M MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

8.8CVSS6AI score

RedhatCVE•added 2026/05/21 7:57 p.m.•8 views

CVE-2026-7860

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

5.8CVSS5.8AI score0.00016EPSS

OSV•added 2026/05/21 6:41 p.m.•4 views

MAL-2026-4402 Malicious code in @kyungseopk1m/holidays-kr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215 On import/use, dist/cjs/index.js and dist/mjs/index.js call fetch against the hardcoded endpoint https://kdata.kxxseop.workers.dev with data sourced...

OSV•added 2026/05/21 4:30 p.m.•4 views

RLSA-2026:6463 Important: openssh security update

OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized...

8.2CVSS7.1AI score0.00127EPSS

Rockylinux•added 2026/05/21 4:30 p.m.•8 views

openssh security update

An update is available for openssh. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list OpenSSH is an SSH protocol implementation supported by a number of Linux,...

7.5CVSS6.8AI score0.00127EPSS

Exploits0

OSV•added 2026/05/21 4:27 p.m.•3 views

RLSA-2026:6462 Important: openssh security update

8.2CVSS7.1AI score0.00127EPSS

OSV•added 2026/05/21 6:46 a.m.•5 views

MAL-2026-4775 Malicious code in wdt-erpmcp (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec852c69947e2a2575ae37ce4a442a67dc01f7328c0c603b94c87aa84803623f wdt-erpmcp advertises itself as a generic MCP wrapper over the caller's Wangdian Tongda WDT ERP, and three of its four tools correctly read WDTAPPKEY...

OSSF Malicious Packages•added 2026/05/21 6:46 a.m.•7 views

Exploits0References3

Malicious code in wdt-erpmcp (PyPI)

OSSF Malicious Packages•added 2026/05/21 5:52 a.m.•5 views

Exploits0References3

Malicious code in auth0-templates-scripts-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ed9a505fcbf6daef28b6625dcbde65ea1dd00b01c1a684debfdedfc7e5bc3643 Package name impersonates the Auth0 ecosystem. Its postinstall hook node index.js runs unconditionally on npm install and performs a multi-stage data...

Fedora•added 2026/05/21 1:28 a.m.•8 views

[SECURITY] Fedora 43 Update: python-dotenv-1.2.2-1.fc43

Reads the key/value pairs from a .env file and can add them to environment variables...

6.6CVSS7.3AI score0.00004EPSS

Exploits1

Fedora•added 2026/05/21 12:57 a.m.•8 views

[SECURITY] Fedora 44 Update: python-dotenv-1.2.2-1.fc44

Reads the key/value pairs from a .env file and can add them to environment variables...

6.6CVSS7.3AI score0.00004EPSS

Exploits1

OSSF Malicious Packages•added 2026/05/21 12:52 a.m.•9 views

Malicious code in @djessicatony/folk-mcp-canary (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a504172fe0e456bd96cf7b4f9a6b6dda65dee7bd573833bbf5963b0be7a05ae8 index.js contains a beacon-style exfiltration primitive: a fetch POST at line 60-61 sends process.env data read at lines 30 and 34 to a hardcoded...

OSV•added 2026/05/21 12:51 a.m.•5 views

MAL-2026-4391 Malicious code in @gad360/apothem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f5e509ba6aa2f781391f03ff37ea8005440c1d1106391bdfa91abae06336ad3 The package's package.json declares a postinstall hook "postinstall": "node install.js" that runs install.js automatically on npm install. install.js...

OSV•added 2026/05/21 12:47 a.m.•5 views

MAL-2026-4617 Malicious code in n8n-nodes-pentest-rce (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5 On npm install, the package's postinstall script runs a shell pipeline that reads the Kubernetes service-account token from...

OSSF Malicious Packages•added 2026/05/21 12:47 a.m.•6 views

Exploits0References26

Malicious code in n8n-nodes-pentest-rce (npm)

OSV•added 2026/05/21 12:0 a.m.•2 views

Exploits0References26

MAL-2026-4203 Malicious code in crypto-credential-scanner (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

OSV•added 2026/05/21 12:0 a.m.•2 views

Exploits0References16

MAL-2026-4205 Malicious code in defi-threat-scanner (npm)