CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2 days ago•4 views

Malicious code in zod-pino (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c536e5a7ee3d5542e1ac822b30ba4525e52b2ae0c964d0c2470468d91b9b41c8 The package is published under a name suggesting a Pino logger integration for Zod, but the tarball contents do not match that purpose and exhibit...

6AI score

Exploits0References5

OSV•added 2 days ago•3 views

MAL-2026-6273 Malicious code in zod-pino (npm)

6AI score

Exploits0References5

OSV•added 2 days ago•4 views

MAL-2026-6258 Malicious code in onboarding-respects-modal (npm)

onboarding-respects-modal is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait use...

OSSF Malicious Packages•added 2 days ago•5 views

Malicious code in respects-switch (npm)

respects-switch is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.0.0, the canonical floating-version bait use...

OSSF Malicious Packages•added 2 days ago•6 views

Malicious code in crud-respect (npm)

crud-respect is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.99.99, a floating-version bait used to outrank ...

5.9AI score

OSV•added 2 days ago•5 views

MAL-2026-6259 Malicious code in respects-switch (npm)

OSV•added 2 days ago•4 views

MAL-2026-6257 Malicious code in crud-respect (npm)

5.9AI score

NVD•added 2026/06/16 7:17 p.m.•10 views

CVE-2026-53849

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gai...

8.6CVSS0.00213EPSS

Exploits0References2

CVE•added 2026/06/16 6:4 p.m.•13 views

CVE-2026-53849

CVE-2026-53849 — OpenClaw prior to 2026.5.7 : A privilege-escalation in which the allowFrom feature validates Discord identity via mutable display names instead of immutable user IDs. An attacker with a Discord account can alter their display name to align with a policy entry and gain unauthorize...

8.6CVSS5.3AI score0.00213EPSS

Exploits0References2Affected Software1

OSV•added 2026/06/16 2:15 a.m.•7 views

MAL-2026-5856 Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

OSSF Malicious Packages•added 2026/06/16 2:14 a.m.•10 views

Exploits0References2

Malicious code in setka-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069 package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install...

OSV•added 2026/06/16 2:14 a.m.•5 views

Exploits0References4

MAL-2026-5859 Malicious code in setka-editor (npm)

Positive Technologies•added 2026/06/16 12:0 a.m.•14 views

Exploits0References4

PT-2026-49766

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.7 Description The allowFrom feature improperly validates Discord account identity by using mutable display names instead of immutable user IDs. This allows an attacker to change their display or global name...

8.6CVSS5.5AI score0.00213EPSS

Exploits0References5

OSSF Malicious Packages•added 2026/06/13 8:10 p.m.•12 views

Malicious code in xy-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25 package.json wires both preinstall and postinstall to node callback.js, which auto-executes on npm install. callback.js collects username, uid/gid,...

5.4AI score

OSV•added 2026/06/13 8:10 p.m.•9 views

MAL-2026-5746 Malicious code in xy-shared (npm)

5.4AI score

OSSF Malicious Packages•added 2026/06/12 8:35 p.m.•9 views

Malicious code in jextic-eclib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707 On npm install, the package's postinstall hook postinstall.js requires index.js, whose top-level scanAndExfiltrate call walks the installer's working...

5.5AI score

OSV•added 2026/06/12 8:35 p.m.•7 views

MAL-2026-5712 Malicious code in jextic-eclib (npm)

5.6AI score

OSSF Malicious Packages•added 2026/06/12 3:24 p.m.•7 views

Malicious code in voyager-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8 package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install. callback.js collects installer-side...

5.5AI score

OSV•added 2026/06/12 3:24 p.m.•8 views

MAL-2026-5696 Malicious code in voyager-web (npm)

5.5AI score