Lucene search
K

6227 matches found

OSV
OSV
added 2026/06/18 10:28 p.m.11 views

MAL-2026-6144 Malicious code in runtime-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95ac68a991ebaacd1aef772aa462ad53510471f9f4439659a6e685e877aa460e On require, index.js lines 70-77 fetches JSON from https://jsonkeeper.com/b/CI3HT, extracts the .cookie field from the response, and passes it to new...

6.5AI score
Exploits0References2
OSV
OSV
added 2026/06/18 10:28 p.m.7 views

MAL-2026-6141 Malicious code in clx-cookie-signature (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3 Package impersonates the popular cookie-signature library copying its README, author field 'TJ Holowaychuk ', and sign/unsign API, but index.js adds ...

6AI score
Exploits0References2
NVD
NVD
added 2026/06/18 8:16 p.m.11 views

CVE-2026-48716

nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes th...

8.7CVSS0.00276EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/18 6:35 p.m.4 views

Unsafe Dependency Resolution

Overview @theia/ai-editor is a Theia - AI Editor Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the processing of workspace file and directory names in the AI chat. An attacker can cause the agent to execute attacker-controlled instructions by introducing...

8.8CVSS6.2AI score0.00272EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 6:35 p.m.8 views

Unsafe Dependency Resolution

Overview @theia/ai-chat is a Theia - AI Chat Extension Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the processing of workspace file and directory names in the AI chat. An attacker can cause the agent to execute attacker-controlled instructions by introduci...

8.8CVSS6.2AI score0.00272EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/18 8:58 a.m.6 views

CVE-2026-50643

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line...

5.1CVSS5.3AI score0.00138EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/18 8:58 a.m.10 views

EUVD-2026-37865

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line...

5.1CVSS5.3AI score0.00138EPSS
Exploits0References2
Mageia
Mageia
added 2026/06/18 7:22 a.m.13 views

Updated libcap packages fix security vulnerabilities

CVE-2026-4878. A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use TOCTOU race condition in the capsetfile function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By...

7CVSS5.2AI score0.00188EPSS
Exploits1References3
NVD
NVD
added 2026/06/18 12:16 a.m.12 views

CVE-2026-48768

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any...

9.3CVSS0.00268EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/18 12:0 a.m.10 views

Vim < 9.2.0597 Code Execution (GHSA-65p9-mwwx-7468)

The version of Vim installed on the remote host is prior to 9.2.0597. It is, therefore, affected by a vulnerability as referenced in the GHSA-65p9-mwwx-7468 advisory. - Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec as part of...

8CVSS6.2AI score0.00224EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50733

Name of the Vulnerable Software and Affected Versions piscina versions prior to 6.0.0-rc.2 piscina versions prior to 5.2.0 piscina versions prior to 4.9.3 Description Prototype pollution in the constructor and run paths allows an attacker to control the filename option. When the options object...

8.1CVSS5.9AI score0.00296EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.14 views

PT-2026-50784

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description A symlink race condition exists in the creation of per-device and per-user pad directories. The software employs a check-then-act pattern, where it calls lstat to verify existence and subsequently...

5.8CVSS5.9AI score0.00084EPSS
Exploits0References8
Snyk
Snyk
added 2026/06/17 6:21 p.m.6 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the HTTP/1.1 client when an attacker-controlled upstream server injects an unsolicited response onto an...

6.3CVSS5.9AI score0.00228EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 6:6 p.m.10 views

Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch

Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrust...

9.1CVSS5.5AI score0.00403EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/17 2:3 p.m.9 views

Incorrect Conversion between Numeric Types

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types in the ggmldequantize, ggmlmulmatveca8, ggmlmulmata8, and ggmlmoea8 functions when tensor dimensions are...

7.5CVSS5.9AI score0.00281EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 1:55 p.m.10 views

Pi Agent: Pi loads project-local extensions without approval

Pi loads project-local extensions without approval Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript...

4.4CVSS5.6AI score0.00118EPSS
Exploits0References8Affected Software1
Veracode
Veracode
added 2026/06/17 9:30 a.m.9 views

Open Redirect

Spring Authorization Server is vulnerable to Open Redirect. The vulnerability is due to insufficient validation of the requesturi parameter at the authorization endpoint, where a malicious authorization request can include an invalid requesturi and an attacker-controlled redirecturi, resulting in...

6.1CVSS5.4AI score0.00172EPSS
Exploits0References2Affected Software1
Microsoft CVE
Microsoft CVE
added 2026/06/17 8:2 a.m.11 views

gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion

...

8.7CVSS5.8AI score0.00381EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50573

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.17.0 Description An unauthenticated issue exists in the chatbot builder tool where the endpoint "/api/blocks/file-input/v3/generate-upload-url" uses unsanitized fileName input to construct public S3 object keys. The...

9.3CVSS6AI score0.00268EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/06/16 11:34 p.m.5 views

NPM: n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host

NPM: n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host vulnerability discovered by ? in WordPress Npm n8n versions 1.123.55...

7.7CVSS5.8AI score0.00353EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder