Lucene search
K

4594 matches found

Nuclei
Nuclei
added yesterday68 views

Vite server.fs.deny Bypass - Local File Inclusion

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

5.3CVSS6.7AI score0.38685EPSS
Exploits7References5
Nuclei
Nuclei
added yesterday55 views

Vite - Path Traversal

Vite versions prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13 contain a file exposure vulnerability caused by improper handling of request URLs with '' in the dev server running on Node or Bun, letting attackers access arbitrary files, exploit requires the server to be exposed to the network an...

6CVSS6.7AI score0.01725EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday11 views

Vite dev server - Cross-Site Scripting

Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...

6.1CVSS6.7AI score0.00997EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday92 views

Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

6.3CVSS6.1AI score0.00914EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday75 views

Vite Dev Server - Information Exposure

Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network using...

6CVSS6.2AI score0.01077EPSS
Exploits1References2
Debian CVE
Debian CVE
added last week5 views

CVE-2026-15185

A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsubreadidx of the file /src/mediatools/vobsub.c of the component MP4Box. Executing a manipulation of the argument numlangs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been...

4.8CVSS5.4AI score0.00112EPSS
Exploits0
RedHat Linux
RedHat Linux
added 2026/07/08 5:12 p.m.11 views

Important: Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.29.0 Release.

Red Hat OpenShift Dev Spaces 3.29.0 has been released. Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development. The 3.29 release is based on...

10CVSS6.8AI score0.01041EPSS
Exploits17References33
OSV
OSV
added 2026/07/07 4:52 p.m.3 views

GO-2026-5761 Malicious image with /dev symlink can trigger limited host filesystem integrity violations in github.com/opencontainers/runc

Malicious image with /dev symlink can trigger limited host filesystem integrity violations in github.com/opencontainers/runc...

3.3CVSS5.9AI score0.00222EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/07 3:34 p.m.10 views

Malicious code in load-nuxt-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0f879297070c07197ace88cfb411c61d497ad150e39c2c5c91349737f5d83a The package name resembles the legitimate Nuxt ecosystem tooling e.g., @nuxt/load-nuxt, and the version 99.0.3 is a common dependency-confusion /...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/07/07 3:34 p.m.7 views

MAL-2026-6935 Malicious code in load-nuxt-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0f879297070c07197ace88cfb411c61d497ad150e39c2c5c91349737f5d83a The package name resembles the legitimate Nuxt ecosystem tooling e.g., @nuxt/load-nuxt, and the version 99.0.3 is a common dependency-confusion /...

6.1AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:14 p.m.5 views

CVE-2026-42148

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the devhelperversion field without shell escaping, allowing an attack...

3.8CVSS6.2AI score0.00121EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/07/06 10:47 a.m.11 views

CVE-2026-14631

A flaw was found in webpack-dev-server. An unauthenticated remote attacker could send a specially crafted HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. This malformed input causes an uncaught exception, leading to the termination of the Node.js...

5.3CVSS5.9AI score0.00308EPSS
Exploits0References5
NVD
NVD
added 2026/07/06 8:16 a.m.10 views

CVE-2026-14802

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...

7.5CVSS0.01324EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/06 6:30 a.m.6 views

EUVD-2026-41815

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...

7.5CVSS5.7AI score0.01324EPSS
Exploits0References6
CVE
CVE
added 2026/07/06 6:30 a.m.25 views

CVE-2026-14802

CVE-2026-14802 affects react-create-app releases up to 5.0.1 on macOS, targeting the startBrowserProcess function in openBrowser.js within react-dev-utils. The root cause is an input manipulation that enables OS command injection, with remote exploitation described as possible and the exploit pub...

7.5CVSS6.7AI score0.01324EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/06 6:30 a.m.39 views

CVE-2026-14802 react create-react-app react-dev-utils openBrowser.js startBrowserProcess os command injection

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...

7.5CVSS0.01324EPSS
Exploits0References6
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/05 3:16 p.m.11 views

Malicious code in @adobesign/as-dev-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6752e4d30c584cb5ca6f67265c983257c1531aa306b47ec00b43ddae83fe2532 The package's package.json declares a postinstall lifecycle hook that pipes the output of whoami through curl to a hardcoded Burp Collaborator...

5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/03 7:13 p.m.6 views

Improper Input Validation

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Improper Input Validation through the host-validation process. An attacker can cause the server to...

6.9CVSS6AI score0.00308EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 6:16 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the open-editor and invalidate endpoints. An attacker can open...

5.3CVSS6AI score0.00116EPSS
Exploits0References2
NVD
NVD
added 2026/07/03 6:16 p.m.10 views

CVE-2026-14631

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS0.00308EPSS
Exploits0References2
Rows per page
Query Builder