Lucene search
K

1434 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago2 views

Malicious code in @marketfront/header (npm)

The @marketfront/header package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' [email protected] within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use...

6.3AI score
Exploits0References2
NVD
NVD
added 2026/06/29 6:16 a.m.8 views

CVE-2026-13533

A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack...

6.9CVSS0.00286EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/29 4:0 a.m.7 views

CVE-2026-13533

A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack...

6.9CVSS5.6AI score0.00286EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/06/26 6:17 p.m.5 views

CVE-2026-55441

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS0.00184EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:48 p.m.6 views

CVE-2026-55441

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS5.9AI score0.00184EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/06/24 9:16 p.m.9 views

CVE-2026-32315

motionEye mEye is an online interface for motion software, a video surveillance program with motion detection. Versions prior to 0.44.0 create the configuration file /etc/motioneye/motion.conf with 644 permissions -rw-r--r--, making it readable by any local user on the system. This file contains...

5.5CVSS0.02902EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 5:41 a.m.6 views

EUVD-2026-38691

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

7CVSS6.2AI score0.00181EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/23 6:24 p.m.8 views

Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository

Summary mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/, .mise/tasks/, … but no config file, mise falls back to the default includes and...

8.6CVSS6AI score0.00184EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:31 a.m.7 views

CVE-2026-8118

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wprgetcsvhandle helper introduced in version 1.7.1058 as part of the patch for CVE-2026-6229 falling back to...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References3Affected Software1
ICS
ICS
added 2026/06/18 3:56 p.m.8 views

Webmin multiple vulnerabilities

RISK EVALUATION Webmin contains multiple vulnerabilities. In the worst case, a remote, unauthenticated attacker could impersonate and authenticate as any user. 2. RECOMMENDED PRACTICES Update to most recent available version of Webmin. 3. DESCRIPTION The Webmin HTTP server miniserv.pl allows...

9.2CVSS6AI score0.00285EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.13 views

PT-2026-49773

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.23 through 2026.4.23 Description An insecure file permissions issue exists in the config recovery process that restores the OpenClaw.json file with overly broad permissions. Local attackers on shared hosts can exploit...

5.7CVSS5.2AI score0.00094EPSS
Exploits0References5
NVD
NVD
added 2026/06/15 11:16 p.m.18 views

CVE-2026-48723

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypressconfigfile configuration parameter. In readCypressConfigUtil.js, the loadJsFile function constructs a shell...

7.8CVSS0.00533EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/15 10:27 p.m.7 views

EUVD-2026-37017

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypressconfigfile configuration parameter. In readCypressConfigUtil.js, the loadJsFile function constructs a shell...

7.8CVSS5.4AI score0.00533EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/15 10:27 p.m.31 views

CVE-2026-48723 BrowserStack Cypress CL: Command Injection via cypress_config_file leads to arbitrary code execution through malicious browserstack.json

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypressconfigfile configuration parameter. In readCypressConfigUtil.js, the loadJsFile function constructs a shell...

7.8CVSS0.00533EPSS
Exploits0References2
CVE
CVE
added 2026/06/15 10:27 p.m.23 views

CVE-2026-48723

BrowserStack Cypress CLI prior to 1.36.4 is vulnerable to OS command injection via the cypress_config_file parameter in readCypressConfigUtil.js (loadJsFile()), which builds a shell command by interpolating cypress_config_filepath into a template literal and runs it with child_process.execSync()....

7.8CVSS5.5AI score0.00533EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/15 12:0 p.m.29 views

CVE-2016-20076 WordPress Simple-Backup 2.7.11 Arbitrary File Deletion and Download

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the deletebackupfile and downloadbackupfile parameters in tools.php. Attackers can exploit insufficient input validation usi...

8.7CVSS0.00601EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/06/15 10:0 a.m.75 views

Exploit for CVE-2026-37071

CVE-2026-37071 Arbitrary File Rename Leading to Privilege Esca...

5.4AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/11 4:47 p.m.8 views

CVE-2026-53442

A flaw was found in Jenkins. Secrets submitted via POST config.xml are stored unencrypted in job configuration files on the Jenkins controller. This allows users with 'Item/Extended Read' permission, or those with direct access to the Jenkins controller file system, to view sensitive information...

5.5CVSS5.5AI score0.0019EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/10 6:41 p.m.13 views

Malicious code in websocket-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6 On npm install, this package runs node test.js via scripts.postinstall, which executes the logic in index.js. The postinstall behavior performs three...

5.5AI score
Exploits0References2
OSV
OSV
added 2026/06/10 3:31 p.m.5 views

GHSA-93QH-VWRM-C5PW Jenkins: Stored XSS vulnerability in node offline cause description

Jenkins 2.483 through 2.567 both inclusive, LTS 2.492.1 through 2.555.2 both inclusive does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers...

8CVSS4.9AI score0.00261EPSS
Exploits0References4
Rows per page
Query Builder