CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 3 days ago•5 views

Malicious code in @redhat-cloud-services/insights-client (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

OSV•added 3 days ago•3 views

MAL-2026-5142 Malicious code in @redhat-cloud-services/insights-client (npm)

OSV•added 3 days ago•4 views

MAL-2026-5143 Malicious code in @redhat-cloud-services/javascript-clients-shared (npm)

Microsoft Secure•added 6 days ago•2 views

Typosquatted npm packages used to steal cloud and CI/CD secrets

In this article 1. Attack chain overview 1. The lure: typosquats and spoofed metadata 2. Execution: npm lifecycle hook abuse 3. Gen-1 stager: HTTP C2 beacon and payload drop 4. Gen-2 stager: abusing the legitimate Bun runtime as a loader 5. Credential theft 6. Impact and blast radius 2. Mitigatio...

6.3AI score

Exploits0

Snyk•added last week•3 views

Directory Traversal

Overview shamefile is an A cli tool to enforce documentation for code suppressions Affected versions of this package are vulnerable to Directory Traversal via the shame next process when processing a user-controlled shamefile.yaml. An attacker can disclose the contents of files outside the intend...

6.8CVSS6.3AI score

CISA•added last week•8 views

Supply Chain Compromises Impact Nx Console and GitHub Repositories

CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development CI/CD pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code VS...

9.8CVSS5.8AI score0.32065EPSS

Exploits1References8

NCSC•added last week•11 views

Vulnerabilities are handled in GitLab Community Edition and Enterprise Edition

GitLab has identified several vulnerabilities in the GitLab Community Edition and Enterprise Edition, specifically in versions 12.7 through 18.10.7, 18.11 through 18.11.4, and 19.0 through 19.0.1. These vulnerabilities relate to various aspects of authentication, authorization, and validation...

8.2CVSS5.7AI score0.00064EPSS

Positive Technologies•added 2026/05/28 12:0 a.m.•2 views

PT-2026-44730

Relevant Products/Components: trestle/core/commands/author/jinja.py trestle author jinja --- Detailed Description: The -o/--output argument in trestle author jinja allows writing files outside the intended workspace. The application does not properly validate: ../ .. absolute paths This allows...

8.4CVSS6.2AI score

Exploits0References5

NVD•added 2026/05/27 7:16 p.m.•5 views

CVE-2026-8716

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended...

4.3CVSS0.00027EPSS

OSV•added 2026/05/27 7:16 p.m.•2 views

UBUNTU-CVE-2026-8716

4.3CVSS5.8AI score0.00027EPSS

Exploits0References4

CVE•added 2026/05/27 5:54 p.m.•64 views

CVE-2026-8716

CVE-2026-8716 affects GitLab CE/EE with versions 12.7–before 18.10.7, 18.11–before 18.11.4, and 19.0–before 19.0.1. An authenticated user could have accessed CI data from a different ref type than intended under certain conditions. The issue has been remediated via patch releases: GitLab 18.10.7,...

4.3CVSS5.8AI score0.00027EPSS

Exploits0References2Affected Software1

ATTACKERKB•added 2026/05/27 5:54 p.m.•3 views

CVE-2026-8716

4.3CVSS5.8AI score0.00027EPSS

Exploits0References3Affected Software1

CVE•added 2026/05/26 3:49 p.m.•6 views

CVE-2026-44723

CVE-2026-44723 affects Vowpal Wabbit. The issue arises in the GitHub workflow .github/workflows/python_checks.yml where the PR title ({{ github.event.pull_request.title }}) is directly embedded inside double-quoted bash strings in four steps across four jobs, passing it as a CLI argument to run_t...

9.9CVSS6.1AI score0.00045EPSS

Exploits1References2Affected Software1

OSSF Malicious Packages•added 2026/05/25 6:53 p.m.•5 views

Malicious code in skills-detector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 844190b21455d308d6e2b5305ebe92634d80b55817290a84644a1048df0e54b3 On npm install, postinstall.js executes whoami and id via childprocess.execSync, collects os.hostname, os.platform, current working directory, and th...

5.8AI score

OSV•added 2026/05/25 6:53 p.m.•3 views

MAL-2026-4670 Malicious code in skills-detector (npm)

5.8AI score

OSV•added 2026/05/25 2:16 p.m.•4 views

MAL-2026-4730 Malicious code in wml-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d65cdf836cae85d721f6a982c5941bd18037d4a3554ec4b69cd5828591ee0e20 [email protected] declares preinstall: node poc.js in package.json, so npm install automatically runs poc.js with no consent step. poc.js iterate...

OSSF Malicious Packages•added 2026/05/25 2:16 p.m.•4 views

Malicious code in wml-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46afe229d6efe1ef10d025302ed21e5c2c44bdd772c8fbb28d037cb1215c84ba [email protected] is a dependency-confusion package targeting an internal wml- namespace, published with an inflated version 99.0.1 to win npm resoluti...

OSV•added 2026/05/25 2:16 p.m.•4 views

MAL-2026-4731 Malicious code in wml-core (npm)

OSSF Malicious Packages•added 2026/05/25 2:15 p.m.•4 views

Malicious code in walmart-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a Package declares preinstall: node poc.js, which on npm install collects host identity os.hostname, whoami/id, ipconfig/ip a output, scrapes environme...

5.8AI score