Lucene search
K

1135 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/07 12:0 a.m.18 views

Malicious code in camelotlabs-utils (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

5.9AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/07 12:0 a.m.13 views

Malicious code in camelotlabs-worker (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

5.9AI score
Exploits0
OSV
OSV
added 2026/05/07 12:0 a.m.6 views

MAL-2026-3642 Malicious code in camelotlabs-sdk (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

5.9AI score
Exploits0
OSV
OSV
added 2026/05/07 12:0 a.m.9 views

MAL-2026-3644 Malicious code in camelotlabs-worker (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

5.9AI score
Exploits0
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-58179

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

7.2CVSS5.2AI score0.00773EPSS
In wildExploits1References2
NVD
NVD
added 2026/04/24 6:16 p.m.4 views

CVE-2026-41321

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...

2.2CVSS0.00199EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/24 5:4 p.m.4 views

EUVD-2026-25579

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...

7.2CVSS5.5AI score0.00773EPSS
Exploits1References1
CVE
CVE
added 2026/04/24 5:4 p.m.18 views

CVE-2026-41321

Summary: CVE-2026-41321 affects the @astrojs/cloudflare SSR adapter used with Cloudflare Workers. Before version 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior, allowing redirects to...

2.2CVSS5.5AI score0.00199EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 5:4 p.m.25 views

CVE-2026-41321 @astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...

2.2CVSS0.00199EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/24 5:4 p.m.5 views

CVE-2026-41321 @astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...

2.2CVSS5.5AI score0.00199EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:4 p.m.3 views

CVE-2026-41321

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...

7.2CVSS5.6AI score0.00773EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.10 views

Astro 代码问题漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 13.1.10 had code vulnerabilities. These vulnerabilities stemmed from the use of default redirection behavior in fetch calls, which could allow Cloudflare Workers to bypass domain whitelist checks...

2.2CVSS5.9AI score0.00199EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/23 9:52 p.m.12 views

Server-side Request Forgery (SSRF)

Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in image-binding-transform endpoint. An attacker can cause the server to make unauthorized requests to arbitra...

7.2CVSS5.6AI score0.00773EPSS
Exploits1References2
OSV
OSV
added 2026/04/23 9:52 p.m.6 views

GHSA-88GM-J2WX-58H6 Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)

Summary The fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts line 28 uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed domain allowlist chec...

2.2CVSS5.9AI score0.00199EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.6 views

PT-2026-34823

Summary The fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts line 28 uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the isRemoteAllowed domain allowlist chec...

2.2CVSS5.9AI score0.00199EPSS
Exploits0References7
Wiz blog
Wiz blog
added 2026/04/14 1:0 p.m.10 views

Securing the AI Edge: Wiz and Cloudflare Integrate for End-to-End AI Protection

Gain a unified view of AI application endpoints and DNS exposure across your environment, including which are protected by Cloudflare and which need to be secured...

5.8AI score
Exploits0
OSV
OSV
added 2026/04/09 2:5 p.m.5 views

MAL-2026-2527 Malicious code in sjs-biginteger (npm)

sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...

5.9AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/09 2:4 p.m.12 views

Malicious code in sjs-lint-build1 (npm)

sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...

5.9AI score
Exploits0References2
HackRead
HackRead
added 2026/04/06 2:26 p.m.6 views

Cloudflare Targets WordPress With New AI-Powered EmDash CMS

Cloudflare launches EmDash CMS, an AI-powered platform built to fix WordPress security flaws with sandboxed plugins, serverless scaling, and passkey auth...

5.9AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/04 10:54 p.m.3 views

CVE-2026-28798

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

10CVSS5.8AI score0.00387EPSS
Exploits1References1
Rows per page
Query Builder