CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

95 matches found

EUVD•added 2026/05/18 1:26 p.m.•3 views

EUVD-2026-30561

Microsoft APM: Symlinks under .apm/prompts/ and .apm/agents/ are dereferenced during apm install, copying host-local file contents into the project tree...

7.4CVSS5.8AI score0.00069EPSS

Exploits0References4

NVD•added 2026/05/15 5:16 p.m.•8 views

CVE-2026-45539

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...

7.4CVSS0.00069EPSS

Exploits0References1

Cvelist•added 2026/05/15 4:4 p.m.•35 views

CVE-2026-46383 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

5.5CVSS0.00055EPSS

Exploits0References1

EUVD•added 2026/05/15 4:0 p.m.•4 views

EUVD-2026-30562

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

7.1CVSS5.9AI score0.00057EPSS

Exploits0References1

CNNVD•added 2026/05/15 12:0 a.m.•5 views

APM – Agent Package Manager 路径遍历漏洞

APM – Agent Package Manager is an open-source AI-based dependency management tool developed by Microsoft. Versions of APM prior to 0.8.12 contained a path traversal vulnerability. This vulnerability stemmed from the lack of verification that the plugin paths were within the plugin directory, whic...

7.1CVSS5.8AI score0.00057EPSS

Exploits0References1

UbuntuCve•added 2026/04/24 6:16 p.m.•1 views

CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

2.3CVSS5.8AI score0.0009EPSS

Exploits0References2

Debian CVE•added 2026/04/24 5:10 p.m.•1 views

CVE-2026-41140

2.3CVSS5.4AI score0.0009EPSS

Exploits0

ATTACKERKB•added 2026/04/15 8:56 p.m.•1 views

CVE-2026-40261

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the...

8.8CVSS6AI score0.0005EPSS

Exploits3References3Affected Software1

Tenable Nessus•added 2026/04/05 12:0 a.m.•1 views

Linux Distros Unpatched Vulnerability : CVE-2026-34591

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without...

7.1CVSS6AI score0.00016EPSS

Exploits1References3

RedhatCVE•added 2026/04/03 12:51 p.m.•0 views

CVE-2026-34591

A flaw was found in Poetry, a dependency manager for Python. A remote attacker can exploit this vulnerability by providing a specially crafted package wheel that contains directory traversal sequences. When Poetry installs this malicious package, it writes files to arbitrary locations on the syst...

7.1CVSS6.1AI score0.00016EPSS

Exploits1References7

UbuntuCve•added 2026/04/02 6:16 p.m.•1 views

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

7.1CVSS6.1AI score0.00016EPSS

Exploits1References1

CVE•added 2026/04/02 5:35 p.m.•16 views

CVE-2026-34591

CVE-2026-34591 is linked to a wheel path traversal in Poetry. The connected advisories (GHSA-2599-H6XX-HPXP / OSV) show that a crafted wheel can include non-contained ../ paths, allowing arbitrary file write during installation via the wheel destination logic (wheel_installer and executable path ...

7.1CVSS6.1AI score0.00016EPSS

Exploits1References4Affected Software1

Debian CVE•added 2025/12/30 4:11 p.m.•3 views

CVE-2025-67746

Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and...

5.3CVSS5.4AI score0.00018EPSS

Exploits0

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2023-2755