CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 15 hours ago•6 views

CVE-2026-11833

8.2CVSS

EUVD•added 15 hours ago•6 views

EUVD-2026-38411

8.2CVSS5.7AI score

Nuclei•added yesterday•18 views

GitLab CI Lint API - Server-Side Request Forgery

GitLab 10.5 and later contain a server-side request forgery caused by insecure handling of webhook requests, letting unauthenticated attackers exploit the server for arbitrary requests, exploit requires sending crafted webhook requests. id: CVE-2021-22175 info: name: GitLab CI Lint API -...

9.8CVSS7.7AI score0.53372EPSS

Exploits1References2

Cvelist•added 5 days ago•13 views

CVE-2026-49248 OneDev: RCE through absolute-path symlink following allows low-privileged users to overwrite arbitrary server via TarUtils.untar

OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar creates symbolic links verbatim from TAR entry getLinkName without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to...

8.3CVSS0.00024EPSS

CVE•added 5 days ago•12 views

CVE-2026-49248

OneDev CVE-2026-49248 affects versions 15.0.6 and earlier. TarUtils.untar() creates symbolic links using entry getLinkName() without validating absolute path targets; a following file entry can traverse the symlink and write to arbitrary server-side locations. This enables RCE-like behavior for a...

8.3CVSS5.4AI score0.00024EPSS

CVE•added 5 days ago•11 views

CVE-2026-50141

CVE-2026-50141 affects Woodpecker CI prior to 3.14.1, where the gRPC layer allowed an authenticated agent to impersonate another by forging agent_id in outgoing metadata. The server verified the JWT but then ignored it in favor of the client-supplied agent_id, enabling cross-tenant impersonation....

7.1CVSS5.4AI score

Exploits0References5

Microsoft Secure•added 5 days ago•16 views

From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet

In this article 1. Attack chain overview 1. Discovery and initial indicators 2. Dependency injection: the poisoned package.json 3. Typosquat analysis: easy-day-js 4. Staged delivery pattern 5. Obfuscation and payload analysis 6. TLS bypass to self-deletion 7. Timeline analysis 2. Who is Sapphire...

6.9AI score

Exploits0

OSSF Malicious Packages•added 2026/06/13 2:10 a.m.•14 views

Malicious code in @ci-lifecycle-test/postinstall-ping (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509 The package's postinstall lifecycle script postinstall.js executes automatically on npm install and POSTs the JSON-serialized contents of the entire...

OSSF Malicious Packages•added 2026/06/12 3:24 p.m.•6 views

Malicious code in voyager-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8 package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install. callback.js collects installer-side...

OSSF Malicious Packages•added 2026/06/11 1:12 p.m.•7 views

Malicious code in optional-cpu-features (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e On npm install, both the install and postinstall lifecycle scripts run node install.js, which requires lib/sync.js. That file hardcodes BASE =...

5.7AI score

OSV•added 2026/06/11 1:12 p.m.•7 views

MAL-2026-5642 Malicious code in optional-cpu-features (npm)

5.7AI score

OSSF Malicious Packages•added 2026/06/11 7:19 a.m.•12 views

Malicious code in internallib_v346 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90 Package name targets an internal-only namespace and ships a reverse-shell payload. index.js line 5 unconditionally invokes exec'/bin/bash -c "bash -i...

5.4AI score

Exploits0References7

GithubExploit•added 2026/06/11 4:39 a.m.•46 views

claude-code-f002-poc

F002: Supply Chain Attack via Non-Interactive Workspace Trust...

6AI score

Exploits0

OSSF Malicious Packages•added 2026/06/11 3:14 a.m.•6 views

Malicious code in @403name/fsevent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb On require, index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at...

5.9AI score

OSV•added 2026/06/11 3:14 a.m.•14 views

MAL-2026-5549 Malicious code in @403name/fsevent (npm)

5.9AI score

Positive Technologies•added 2026/06/11 12:0 a.m.•11 views

PT-2026-48644

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.0 through 18.10.7 GitLab CE/EE versions 18.11 through 18.11.4 GitLab CE/EE versions 19.0 through 19.0.1 Description An issue exists where an authenticated user can cause a denial of service on the CI/CD Catalog page...

4.3CVSS5.2AI score0.00352EPSS

Exploits0References5

CNNVD•added 2026/06/11 12:0 a.m.•11 views

GitLab CE/EE 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are products of the American company GitLab. GitLab Enterprise Edition is a content management system. GitLab Community Edition is a community version of GitLab. There were security vulnerabilities in versions prior to 17.0, 18.11,...

4.3CVSS5.4AI score0.00352EPSS

OSV•added 2026/06/09 8:32 p.m.•18 views

MAL-2026-5466 Malicious code in getd-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17328047b2ec8dce82cfbdfd5b16c8f862d51dca26b02c9801587c220a48975a On npm install, postinstall.js collects host identifiers os.hostname, os.userInfo username, os.platform, current working directory, CI environment...

OSSF Malicious Packages•added 2026/06/09 8:32 p.m.•7 views

Malicious code in getd-pantallas-cliente (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89a26267435645776aa984be114d5c657e63fa9937ff044e5ddd24943b28ea6e On npm install, postinstall.js collects os.hostname, os.userInfo.username, os.platform, process.cwd, and CI/build environment variables and sends the...