Lucene search
+L

87 matches found

The Hacker News
The Hacker News
added 2025/12/01 12:47 p.m.18 views

⚡ Weekly Recap: Hot CVEs, npm Worm Returns, Firefox RCE, M365 Email Raid & More

Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest...

9.8CVSS10AI score0.99962EPSS
Exploits26
The Hacker News
The Hacker News
added 2025/11/24 1:3 p.m.4 views

Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack. The new supply chain campaign, dubbed Sha1-Hulud , has compromised hundreds of npm packages, according to reports from Aikido,...

7.5AI score
Exploits0
CVE
CVE
added 2025/08/09 1:29 a.m.49 views

CVE-2025-55152

CVE-2025-55152 affects the oak middleware (Deno/native HTTP stack) with vulnerable versions 17.1.5 and earlier. Public records describe a Regular Expression Denial of Service / DoS: using specially crafted values in the headers x-forwarded-proto or x-forwarded-for can cause substantial slowdown o...

5.3CVSS7.1AI score0.00388EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2025/08/07 10:34 p.m.102 views

Exploit for Code Injection in Xwiki

CVE-2025-24893 Install bun: bash curl -fsSL https://bun.c...

9.8CVSS7.2AI score0.99898EPSS
Exploits51
OSV
OSV
added 2025/04/11 2:6 p.m.7 views

GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...

6CVSS6.7AI score0.01725EPSS
Exploits2References4
OSV
OSV
added 2025/04/10 1:25 p.m.16 views

CVE-2025-32395 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec RFC 9112 does not allow in request-target. Although an attacker can sen...

6CVSS6AI score0.01725EPSS
Exploits2References4
OSV
OSV
added 2024/12/18 6:30 a.m.3 views

GHSA-V9MX-4PQQ-H232 Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo

Versions of the package bun before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects...

7.7CVSS5.9AI score0.00647EPSS
Exploits0References5
Rows per page
Query Builder