CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 4 days ago•4 views

MAL-2026-5534 Malicious code in @thomlecter1122/lab-helper-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a The package ships a postinstall lifecycle script seccheck.js that fires automatically on npm install. The script first checks whether the host has a...

5.4AI score

Exploits0References6

Metasploit•added 2026/06/03 7:1 p.m.•89 views

Gogs Git Rebase Argument Injection RCE

This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the --exec flag rather than a positional argument, causing sh -c to run after each replayed commit during the rebase. Two exploitation methods are supported: - ownrepo: The attacker...

The Hacker News•added 2026/05/22 11:55 a.m.•18 views

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. "Using throwaway accounts and forged author identities build-bot, auto-ci, ci-bot, pipeline-bot, the attacke...

OSSF Malicious Packages•added 2026/05/21 8:0 a.m.•8 views

Malicious code in @tiledesk/tiledesk-server (npm)

@tiledesk/tiledesk-server version 2.18.12 is a compromised release of the legitimate Tiledesk customer support platform package. This version was injected with a CI pipeline backdoor as part of the megalodon campaign — a mass GitHub repository backdooring operation targeting CI/CD runner...

6.1AI score

Exploits0References3

OSSF Malicious Packages•added 2026/05/21 1:6 a.m.•8 views

Malicious code in cerebrum-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d On npm install, the package's postinstall hook runs setup.js, which decodes an embedded base64 string into a tar.gz file at ../../../tempbundle.tar.g...

OSV•added 2026/05/21 1:6 a.m.•10 views

MAL-2026-4510 Malicious code in cerebrum-core (npm)

Wordfence Blog•added 2026/05/20 10:4 p.m.•6 views

How a Webmail Log File Became a Root-Level Backdoor

THREAT ANALYSIS May 2026 · Forensic Case Study A forensic breakdown of how an attacker turned CyberPanel's SnappyMail logging into a persistent webshell that survived every WordPress cleanup attempt. A WordPress site owner reported redirect malware on their site. They found that clicking anywhere...

6.2AI score

CNNVD•added 2026/05/16 12:0 a.m.•6 views

WordPress plugin theme Wibar 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

6.4CVSS5.8AI score0.00034EPSS

OSV•added 2026/05/05 8:3 p.m.•2 views

GHSA-XCFG-FCR5-GW9R Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser

Summary A server-side request forgery SSRF vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to...

2.4CVSS5.9AI score0.00027EPSS

Exploits0References3

Github Security Blog•added 2026/05/05 8:3 p.m.•3 views

Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser

2.4CVSS5.9AI score0.00027EPSS

Exploits0References3Affected Software1

GithubExploit•added 2026/04/28 4:27 p.m.•80 views

Exploit for CVE-2026-1306

CVE-2026-1306 — midi-Synth WordPress WordPress midi-Synth...

9.8CVSS5.2AI score0.31452EPSS

Exploits1

GithubExploit•added 2026/04/11 7:37 p.m.•95 views

Exploit for CVE-2026-23500

CVE-2026-23500: OS Command Injection RCE via MAINODTASPDF...

6.2AI score0.00166EPSS

Exploits3

OSV•added 2026/03/18 8:5 p.m.•1 views

GHSA-GJGX-RVQR-6W6V Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py

Summary An explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block wil...

9.8CVSS6.1AI score0.12897EPSS

Exploits0References4

Positive Technologies•added 2026/03/18 12:0 a.m.•4 views

PT-2026-26183

Name of the Vulnerable Software and Affected Versions Mesop versions 1.2.2 and below Description Mesop, a Python-based UI framework, contains a flaw where an explicit web endpoint within the ai/ testing module infrastructure directly accepts untrusted Python code strings without authentication...

9.8CVSS5.8AI score0.12897EPSS

Exploits0References12

The Hacker News•added 2026/01/28 9:30 a.m.•7 views

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Cybersecurity researchers have discovered two malicious packages in the Python Package Index PyPI repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan RAT. The packages, named spellcheckerpy and spellcheckpy , are no longer available on PyPI, but...

6.2AI score