CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2 days ago•5 views

Malicious code in respects-switch (npm)

respects-switch is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.0.0, the canonical floating-version bait use...

5.8AI score

Exploits0References3

ATTACKERKB•added 6 days ago•7 views

CVE-2026-50141

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctl...

7.1CVSS5.4AI score0.00246EPSS

Exploits0References6Affected Software1

Cvelist•added 6 days ago•16 views

CVE-2026-50141 Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation

7.1CVSS0.00246EPSS

Exploits0References5

EUVD•added 6 days ago•8 views

EUVD-2026-37897

7.1CVSS5.4AI score0.00246EPSS

Exploits0References5

OSV•added 2026/06/16 2:14 a.m.•5 views

MAL-2026-5859 Malicious code in setka-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069 package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install...

5.8AI score

Exploits0References4

OSSF Malicious Packages•added 2026/06/15 8:11 p.m.•7 views

Malicious code in yunxin-overmind-comment (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc On npm install, the package's scripts.postinstall runs src/postinstall.js, which spawns a detached Node child that collects the installer's hostname,...

5.3AI score

OSSF Malicious Packages•added 2026/06/15 3:9 p.m.•11 views

Malicious code in token-prices-cron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d On npm install, the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex...

OSSF Malicious Packages•added 2026/06/13 8:10 p.m.•12 views

Malicious code in xy-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25 package.json wires both preinstall and postinstall to node callback.js, which auto-executes on npm install. callback.js collects username, uid/gid,...

OSV•added 2026/06/13 8:10 p.m.•9 views

MAL-2026-5746 Malicious code in xy-shared (npm)

OSV•added 2026/06/13 8:57 a.m.•10 views

BIT-GITLAB-2026-10733 Improper Restriction of Rendered UI Layers or Frames in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization...

4.3CVSS5.5AI score0.0022EPSS

Exploits0References3

OSV•added 2026/06/12 3:24 p.m.•8 views

MAL-2026-5696 Malicious code in voyager-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8 package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install. callback.js collects installer-side...

Snyk•added 2026/06/11 3:20 p.m.•10 views

Directory Traversal

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Directory Traversal via the filtersafetarinfos and filtersafezipinfos functions in the archive extraction utilities. An attacker can write arbitrary files outside the...

8.6CVSS6.2AI score0.0045EPSS

NVD•added 2026/06/11 12:16 p.m.•11 views

CVE-2026-10733

4.3CVSS0.0022EPSS

Cvelist•added 2026/06/11 10:19 a.m.•27 views

CVE-2026-10733 Improper Restriction of Rendered UI Layers or Frames in GitLab

4.3CVSS0.0022EPSS

Vulnrichment•added 2026/06/11 10:19 a.m.•9 views

CVE-2026-10733 Improper Restriction of Rendered UI Layers or Frames in GitLab

4.3CVSS5.5AI score0.0022EPSS

OSSF Malicious Packages•added 2026/06/11 6:33 a.m.•9 views

Malicious code in gpt-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9bdc5e04979d5b4f73407bcedaecc9df24dbb03e0bfbc0edefe333023dc50c On npm install, postinstall.js runs unconditionally and collects a wide range of installer-side reconnaissance data: hostname and FQDN, contents of...

OSV•added 2026/06/11 6:33 a.m.•9 views

MAL-2026-5612 Malicious code in gpt-sdk (npm)

OSSF Malicious Packages•added 2026/06/11 6:13 a.m.•9 views

Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

OSV•added 2026/06/11 5:10 a.m.•11 views

MAL-2026-5572 Malicious code in sendgrid-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63 Package impersonates the official SendGrid npm packages @sendgrid/ but ships no SDK functionality — index.js exports an empty object. Its sole purpos...