CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added last week•6 views

Malicious code in nemo-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 42a43ec0a345170ad191fa1c25bdd4000595aa8ce733c6b9c69de6b65a1defb2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.8AI score

OSV•added last week•2 views

MAL-2026-4836 Malicious code in nemo-reporter (npm)

5.8AI score

RedhatCVE•added 2026/05/27 8:13 p.m.•4 views

CVE-2026-44667

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting XSS via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and...

NVD•added 2026/05/26 6:16 p.m.•8 views

CVE-2026-44667

8.7CVSS0.00033EPSS

EUVD•added 2026/05/26 5:43 p.m.•5 views

EUVD-2026-31944

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke without checking for a valid session. Four action methods in BoilerPlateConfig perform no local...

CVE•added 2026/05/26 5:43 p.m.•8 views

CVE-2026-44668

CVE-2026-44668 affects FACTION, a PenTesting Report Generation and Collaboration Framework. Prior to version 1.8.3, the authentication gate for all Struts2 actions is implemented by AccessControlInterceptor and unconditionally calls invocation.invoke() without validating a session. Four methods i...

Vulnrichment•added 2026/05/26 5:43 p.m.•3 views

CVE-2026-44668 Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates

ATTACKERKB•added 2026/05/26 5:43 p.m.•4 views

CVE-2026-44669

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting XSS via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts...

Exploits0References3Affected Software1

EUVD•added 2026/05/26 5:43 p.m.•6 views

EUVD-2026-31943

CVE•added 2026/05/26 5:43 p.m.•12 views

CVE-2026-44669

CVE-2026-44669 affects FACTION, a PenTesting Report Generation and Collaboration Framework. Before version 1.8.3, it is vulnerable to stored XSS in attachment filenames used in the assessment file preview flow. User-supplied filename values are persisted server-side and later rendered into HTML/a...

EUVD•added 2026/05/26 5:42 p.m.•5 views

EUVD-2026-31942

CVE•added 2026/05/26 5:42 p.m.•7 views

CVE-2026-44667

FACTION is a PenTesting Report Generation and Collaboration Framework. A stored XSS flaw exists prior to version 1.8.3 where user-supplied attachment filename values are persisted and rendered into HTML and attribute contexts without output encoding in remediation verification/file preview flows....

Vulnrichment•added 2026/05/26 5:42 p.m.•4 views

CVE-2026-44667 Faction: Stored XSS in Remediation Verification Attachment Filename Preview Rendering

Positive Technologies•added 2026/05/26 12:0 a.m.•4 views

PT-2026-43347

Positive Technologies•added 2026/05/26 12:0 a.m.•6 views

PT-2026-43346

CNNVD•added 2026/05/26 12:0 a.m.•4 views

Exploits0References4

Faction 跨站脚本漏洞

Faction is an open-source collaborative framework for generating and evaluating penetration reports developed by Faction Security. Versions of Faction prior to 1.8.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of output encoding for attachment file nam...

8.7CVSS5.7AI score0.00033EPSS

OSV•added 2026/05/21 5:9 p.m.•1 views

GHSA-JF2Q-463C-6F52 androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers)

Summary generateZipPath constructs zip entry names for collected APKs using device controlled content from extractFileName. Since extractFileName does not reject traversal sequences, the resulting zip entry name can contain ../. AndroidQF itself does not extract the zip it creates, but any forens...

4.8CVSS5.8AI score

ATTACKERKB•added 2026/05/07 10:28 a.m.•4 views

CVE-2026-33588

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal...

7CVSS5.8AI score0.0007EPSS

Cvelist•added 2026/05/07 10:28 a.m.•25 views

CVE-2026-33588 Arbitrary File Write Through Path Traversal

Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal...

7CVSS0.0007EPSS