CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/06/11 5:0 a.m.•7 views

MAL-2026-5561 Malicious code in @bestlzk/sectest (npm)

6.4AI score

OSV•added 2026/06/11 4:47 a.m.•7 views

MAL-2026-5568 Malicious code in forge-jsx2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ce40276c3c58337b7db3272f89e0716b017b4d63bfa625b8757b9d1969ec9f9 The package masquerades as an 'Autodesk Forge' integration but ships no Forge API code. On npm install, scripts/postinstall-agent.mjs materializes a...

5.6AI score

OSSF Malicious Packages•added 2026/06/11 4:46 a.m.•9 views

Malicious code in nim-submit-for-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2bf75301042574897cc2f4bd8f3b8939fe4ac7a958f2cfe2404bbbee149797d0 On npm install, the package's postinstall hook executes lib/compiler.js, which spawns a detached Node process that collects host identity hostname,...

OSV•added 2026/06/11 4:46 a.m.•7 views

MAL-2026-5570 Malicious code in nim-submit-for-test (npm)

OSV•added 2026/06/11 4:45 a.m.•10 views

MAL-2026-5567 Malicious code in field-upload-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1 On every npm install, the package's postinstall lifecycle script in package.json spawns a detached, unref'd Node process that decodes a base64-encode...

OSSF Malicious Packages•added 2026/06/11 4:45 a.m.•8 views

Malicious code in field-upload-tool (npm)

OSV•added 2026/06/11 4:41 a.m.•7 views

MAL-2026-5574 Malicious code in spotify-url-resolver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7 On require'spotify-url-resolver', index.js line 21 invokes startBackupLoop at module top level. The loop zips process.cwd the installer's project roo...

OSSF Malicious Packages•added 2026/06/11 4:37 a.m.•9 views

Malicious code in testzapier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f package.json declares a preinstall hook node index.js that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against...

OSV•added 2026/06/11 4:37 a.m.•7 views

MAL-2026-5575 Malicious code in testzapier (npm)

OSSF Malicious Packages•added 2026/06/11 4:36 a.m.•8 views

Malicious code in qa-handoff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851 On npm install, the package automatically executes lib/setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that...

OSV•added 2026/06/11 4:36 a.m.•9 views

MAL-2026-5571 Malicious code in qa-handoff (npm)

RedhatCVE•added 2026/06/11 2:59 a.m.•7 views

CVE-2026-41719

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through...

6.4CVSS5.5AI score0.00202EPSS

RedhatCVE•added 2026/06/11 2:59 a.m.•8 views

CVE-2026-41711

Applications using Spring Data Commons may be vulnerable to a Denial of Service DoS attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through...

5.9CVSS5.4AI score0.00274EPSS

RedhatCVE•added 2026/06/11 2:59 a.m.•7 views

CVE-2026-41697

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher STARTING, ENDING, or CONTAINING in Query By Example QBE. An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data...

4.8CVSS5.5AI score0.00227EPSS

RedhatCVE•added 2026/06/11 2:59 a.m.•9 views

CVE-2026-44634

SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy BLE. Prior to version 0.14.0, there are multiple stack-based buffer overflow vulnerabilities in SimpleBLE. There is a stack overflow vulnerability in the dongl backend’s Protocol::simpleblewrite function local,...

8.7CVSS5.8AI score0.00333EPSS

OSV•added 2026/06/11 2:58 a.m.•12 views

MAL-2026-5560 Malicious code in solana-web3-community (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12 Package masquerades as the official @solana/web3.js SDK name solana-web3-community, author 'Solana Labs Maintainers ', repository...

OSSF Malicious Packages•added 2026/06/11 2:58 a.m.•7 views

Exploits0References3

Malicious code in solana-web3-community (npm)

OSSF Malicious Packages•added 2026/06/11 2:53 a.m.•12 views

Exploits0References3

Malicious code in janus-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1 On npm install, the package's postinstall hook node postinstall.js 2/dev/null || true silently runs a credential harvester against the installer...

5.4AI score

OSSF Malicious Packages•added 2026/06/11 1:57 a.m.•6 views

Malicious code in @w2d/web-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b8292b80f3e692b249561a14d94d2dfa0196f2377e7eee027b8dd630d251bd1 The package targets the @w2d scope with an artificially high version 2.999.999 — the canonical dependency-confusion shape designed to outrank an...

5.4AI score