Malicious Package

Overview eslint-plugin-skyscanner-dates is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

CVE-2026-40600

creationtimestamp| type| source ---|---|--- 2026-04-30 19:46:18+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mkqevv52ge2t 2026-04-30 20:41:57+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mkqhzgj7gn2h...

MAL-2026-3202 Malicious code in eslint-plugin-skyscanner-dates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0fa3152c92c23ebec42990f14c77642de971e5a5464b0e7c25ecdea012ac81e4 The package eslint-plugin-skyscanner-dates was found to contain malicious code. Source: ghsa-malware...

Malicious code in eslint-plugin-skyscanner-dates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0fa3152c92c23ebec42990f14c77642de971e5a5464b0e7c25ecdea012ac81e4 The package eslint-plugin-skyscanner-dates was found to contain malicious code. Source: ghsa-malware...

EUVD-2026-22708

Chamilo is an open-source learning management system LMS. Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::removeXSS to the datestart and dateend...

CVE-2026-6156

creationtimestamp| type| source ---|---|--- 2026-04-12 18:14:12+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116393092827920071 2026-04-13 04:17:47+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjdz3ws2e424 2026-04-13 04:30:29+00:00| seen|...

CVE-2026-35666

creationtimestamp| type| source ---|---|--- 2026-04-10 18:22:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj5wv4zcsb2r 2026-04-10 19:31:00+00:00| published-proof-of-concept| Telegram/322WwBU1dw1XQZkuhsakuExWgO3IPBTTwKsYVMIxa3Dc 2026-04-11 08:02:08+00:00| seen|...

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the addRepeatIntervalToTime function. An attacker can exhaust server resources and render the application unresponsive by creating tasks with extremely small repeat intervals and due dates far ...

CVE-2026-5448 1-2 Byte Buffer Overflow in wolfSSL_X509_notAfter/notBefore

X.509 date buffer overflow in wolfSSLX509notAfter / wolfSSLX509notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS...

CVE-2026-5448 1-2 Byte Buffer Overflow in wolfSSL_X509_notAfter/notBefore

X.509 date buffer overflow in wolfSSLX509notAfter / wolfSSLX509notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS...

PT-2026-31827

Name of the Vulnerable Software and Affected Versions wolfSSL affected versions not specified Description A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This issue is triggered when directly calling the wolfSSL X509 notAfter...

EUVD-2026-20105

The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...

CVE-2023-46945

QD 20230821 is reported vulnerable to a Server-Side Request Forgery (SSRF) via a crafted request. The connected records confirm the presence of an SSRF issue but do not provide vendor, exact product version, or a patch/remediation. No exploitation details or mitigation steps are present in the su...

EUVD-2026-19913

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

CVE-2026-39374

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

EUVD-2026-19829

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input DateStart and DateEnd into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious U...

CVE-2026-4788

creationtimestamp| type| source ---|---|--- 2026-04-07 16:16:41+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-4788 2026-04-08 03:16:41+00:00| seen| Telegram/dROJOrCDMnkwqXhb9-Y-ghLBhlUA50W24DQUefxFEp990g8 2026-04-08 04:48:38+00:00| seen|...

CVE-2026-32755

Admidio is an open-source user management solution. In versions 5.0.6 and below, the savemembership action in modules/profile/profilefunction.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stopmembership and...

CVE-2026-30881

Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters datestart and dateend from $REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escapestrin...