Lucene search
K

74103 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added yesterday5 views

Malicious code in dbzy-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0432a46ed92acb897826fc16d26cba900bd3d18f0de5baa7f2909a44d9ec625 The package advertises itself as a network debugging tool but its CLI and modules compose a remote-access toolkit. The dbzy-tools console entry calls...

6.2AI score
Exploits0References1
GithubExploit
GithubExploit
added yesterday12 views

Cybersecurity-Challenges-Exploits

Cybersecurity Challenges & Exploits A curated collection of c...

5.9AI score
Exploits0
Github Security Blog
Github Security Blog
added yesterday3 views

Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE

Unauthenticated Cross-Origin Plugin Upload Leads to RCE Joro ≤ v1.1.0 Severity: Critical CVSS v3.1: 9.6 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Affected versions: Joro ≤ v1.1.0, proxy mode default, Linux/macOS Reporter: cstover Date: 2026-05-27 --- Summary Joro's default proxy mode in versions = 1.1....

6.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE

Summary Nuclio controller builds a curl invocation string for each cron trigger and stores it as the args of a Kubernetes CronJob container /bin/sh, -c, . Two fields in the trigger specification flow into this string without adequate sanitization: - event.headers keys — interpolated verbatim insi...

6.4AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

async-tar PAX extension-header desync enables tar entry/content smuggling

Summary async-tar v0.6.0 mis-applies a buffered PAX size extension to an intermediary extension header a GNU longname L, a GNU longlink K, or a PAX x/g header instead of to the next file entry. POSIX requires a PAX extended-header record set to describe the next file entry, never an intervening...

6AI score
Exploits0References2Affected Software1
NVD
NVD
added yesterday5 views

CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS
Exploits0References5
CVE
CVE
added yesterday5 views

CVE-2026-59946

CVE-2026-59946 affects Composer (PHP dependency manager). A bin entry containing trailing .. path segments could resolve outside the package install directory, enabling the binary installation flow to chmod an existing host file to world-readable/world-executable during composer install, update, ...

6.1CVSS5.9AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS5.9AI score
Exploits0References6Affected Software1
EUVD
EUVD
added yesterday3 views

EUVD-2026-42360

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS5.9AI score
Exploits0References5
Cvelist
Cvelist
added yesterday9 views

CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday3 views

Malicious code in events-alias (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9 The package's preinstall hook "node index.js" runs automatically on npm install and executes an exfiltration payload. index.js requires childprocess,...

6AI score
Exploits0References1
GithubExploit
GithubExploit
added yesterday21 views

Exploit for Insecure Default Initialization of Resource in Apache Solr

CVE-2026-44825 Apache Solr Scanner This repository contains a...

9.8CVSS7.2AI score0.00529EPSS
Exploits2
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday3 views

Malicious code in turbom (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 64978153f8a987180b6c8e88b5787598ed949a604527f0098271f97d8c66a235 Starting version 1.0.1, the package contains obfuscated code and embedded binary that is executed during the import, sharing many similarities with package...

6AI score
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-59725

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...

7.5CVSS
Exploits0References3
GithubExploit
GithubExploit
added yesterday22 views

Exploit for Deserialization of Untrusted Data in Apache Camel

camel-pqc FileBasedKeyLifecycleManager Unsafe Deserialization...

7.8CVSS6.2AI score0.00342EPSS
Exploits1
CVE
CVE
added yesterday6 views

CVE-2026-59725

CVE-2026-59725 affects Socket.IO’s Engine.IO polling transport (versions 4.1.0–6.6.6). The root cause is that invalid binary POST requests with Content-Type: application/octet-stream are not properly closing the HTTP response, enabling unauthenticated attackers to exhaust server-side connections ...

7.5CVSS6AI score
Exploits0References3
EUVD
EUVD
added yesterday4 views

EUVD-2026-42313

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...

7.5CVSS6AI score
Exploits0References3
Vulnrichment
Vulnrichment
added yesterday4 views

CVE-2026-59725 Socket.IO: Engine.IO Polling Transport Connection Exhaustion

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...

7.5CVSS6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-59725

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...

7.5CVSS6AI score
Exploits0References4Affected Software1
Cvelist
Cvelist
added yesterday10 views

CVE-2026-59725 Socket.IO: Engine.IO Polling Transport Connection Exhaustion

Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...

7.5CVSS
Exploits0References3
Rows per page
Query Builder