CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/20 12:0 a.m.•8 views

PT-2026-42379

free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers in github.com/free5gc/smf...

OSSF Malicious Packages•added 2026/05/19 8:37 p.m.•7 views

Exploits0References5

Malicious code in nebulix-ai (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 93ea83117b0ae362a2b55ad581d69b3600c81b78d2e90c19bb1ea9eea2266a4c The package's documented NebulixEngine.chat API hardcodes two Firebase Realtime Database URLs owned by the author...

OSV•added 2026/05/19 8:28 p.m.•7 views

GHSA-6XWP-CP5H-Q856 Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm

Summary Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth 0.1.2 through 0.1.19. The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Securit...

10CVSS5.8AI score

Github Security Blog•added 2026/05/19 8:28 p.m.•8 views

Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm

Exploits0References4Affected Software1

OSV•added 2026/05/19 8:4 p.m.•4 views

GHSA-6X44-W3XG-HQQF Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Summary azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. "vmId":"" and the forged vmId will be accepted returning the...

9.1CVSS5.9AI score

Exploits0References9

OSSF Malicious Packages•added 2026/05/19 7:7 p.m.•5 views

Malicious code in @arbocollab/arbo-web-people (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3f007c3da95aa64e4c2ed5b51b736900ddc444499f2f678d749603fab516a0c3 The published tarball ships npmjs.npmrc containing a live npm-prefixed authToken for registry.npmjs.org scoped to @arbocollab. package.json declares...

5.9AI score

Exploits0References6

Github Security Blog•added 2026/05/19 4:17 p.m.•13 views

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

5.7AI score

Exploits0References3Affected Software1

OSV•added 2026/05/19 3:47 p.m.•4 views

GHSA-HV85-774V-26FG auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs

SSRF + disk-exfil in downloadmedia and authfetch tools — ymw0407/auth-fetch-mcp Severity The downloadmedia and authfetch MCP tools accept arbitrary URLs and reach them as the MCP server process, with downloadmedia additionally persisting the fetched response body to a user-controlled output...

8.2CVSS6AI score

Exploits0References3

Patchstack•added 2026/05/19 3:47 p.m.•5 views

NPM: auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs

NPM: auth-fetch-mcp: SSRF and disk exfiltration via unvalidated authfetch and downloadmedia URLs vulnerability discovered by ? in WordPress Npm auth-fetch-mcp versions = 3.0.0...

Exploits0References3Affected Software1

Github Security Blog•added 2026/05/19 3:47 p.m.•5 views

auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs

6AI score

Exploits0References3Affected Software1

OSV•added 2026/05/19 2:36 p.m.•3 views

GHSA-XWCR-WM99-G9JC Algernon: handler.lua discovery walks parent directories above the server root

Summary When Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancest...

9CVSS6.5AI score0.00223EPSS

Snyk•added 2026/05/19 10:51 a.m.•6 views

User Impersonation

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to User Impersonation through the SessionCodeChecks logic in SessionCodeChecks.java. An attacker can reuse an...

7.7CVSS5.8AI score0.00017EPSS

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•7 views

Malicious code in @antv/gi-assets-tugraph (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Positive Technologies•added 2026/05/19 12:0 a.m.•9 views

PT-2026-41968

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

7.5CVSS5.8AI score

OSV•added 2026/05/19 12:0 a.m.•6 views

MAL-2026-4123 Malicious code in @lint-md/cli (npm)

OSV•added 2026/05/19 12:0 a.m.•5 views

Exploits0References5

MAL-2026-4059 Malicious code in @antv/li-aiearth-assets (npm)