Lucene search
K

937 matches found

RedhatCVE
RedhatCVE
added 2026/05/28 8:12 p.m.13 views

CVE-2026-44346

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs.name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentom...

8.8CVSS5.9AI score0.00321EPSS
Exploits1References1
OSV
OSV
added 2026/05/28 12:0 a.m.8 views

MAL-2026-4879 Malicious code in @car-loans/save (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/28 12:0 a.m.12 views

Malicious code in @mlspace/env-jupyter-server (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 5:22 p.m.13 views

CVE-2026-44346

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs.name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentom...

8.8CVSS5.9AI score0.00321EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.10 views

PT-2026-45980

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs.name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentom...

8.8CVSS5.9AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 10:17 a.m.13 views

Malicious code in @leviyuan/lodestar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c295b3a16fad72f7b165d049e75feb88883dcc1b5b8d9d72b52ac7b40aa09ba The package ships a lifecycle-invoked script dist/lodestar-setup.js that performs an HTTP POST to a hardcoded https://open.feishu.cn endpoint, with...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 8:49 a.m.15 views

Malicious code in vite-plugin-env-compat-1.5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0597776b3155fb9a02f2a9e559b28d2e07543aaf5fad3e2e26c594876e77fce7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 8:49 a.m.13 views

Malicious code in vite-plugin-env-compat-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2512f14cad895787ebcbbf00d51ef388752104f69dcba83360b9ce44a04467f2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/25 8:49 a.m.11 views

MAL-2026-4333 Malicious code in vite-plugin-env-compat-1.5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0597776b3155fb9a02f2a9e559b28d2e07543aaf5fad3e2e26c594876e77fce7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.8AI score
Exploits0References1
Snyk
Snyk
added 2026/05/24 3:36 p.m.10 views

Malicious Package

Overview dev-env-bootstrapper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/24 3:30 a.m.15 views

CVE-2026-9352

A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function makerunenv of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched...

6.9CVSS5.7AI score0.00286EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/24 3:30 a.m.26 views

CVE-2026-9352

Affected software/area: NousResearch hermes-agent (Messaging Gateway Handler), up to 2026.4.23. Vulnerability details: A weakness in the function _make_run_env in tools/environments/local.py can lead to information disclosure. The issue may be exploitable remotely; exploit has been made publicly ...

6.9CVSS5.7AI score0.00286EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/24 1:45 a.m.13 views

Malicious code in env-loader-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1749501a0825ad4a98638bbab4bd2bd9550436adcb9bb7781b6552735f7f3eb0 The package advertises itself as a benign.env/JSON/YAML loader but its top-level init.py imports a hidden core module that, on every import envloader...

5.9AI score
Exploits0References6
OSV
OSV
added 2026/05/24 1:45 a.m.11 views

MAL-2026-4272 Malicious code in env-loader-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1749501a0825ad4a98638bbab4bd2bd9550436adcb9bb7781b6552735f7f3eb0 The package advertises itself as a benign.env/JSON/YAML loader but its top-level init.py imports a hidden core module that, on every import envloader...

5.9AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/24 12:0 a.m.15 views

PT-2026-42910

Name of the Vulnerable Software and Affected Versions NousResearch hermes-agent versions prior to 2026.4.24 Description A weakness in the Messaging Gateway Handler component allows for remote information disclosure. The issue is located within the make run env function in the...

6.9CVSS6.1AI score0.00286EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/05/24 12:0 a.m.10 views

Hermes Agent 访问控制错误漏洞

Hermes Agent is an AI agent tool developed by Nous Research, featuring self-learning capabilities. Versions of Hermes Agent prior to 2026.4.23 contained a access control vulnerability. This vulnerability originated from the makerunenv function in the tools/environments/local.py file of the...

6.9CVSS6.1AI score0.00286EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/23 9:0 p.m.16 views

Malicious Package

Overview env-loader-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

9.8CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/05/23 12:0 a.m.13 views

MAL-2026-4277 Malicious code in dev-env-bootstrapper (npm)

Ten packages published by npm user asdxzxc at version 1.0.10 target developers working on AI and LLM tooling. Each package masquerades as a developer utility while executing a two-stage payload triggered via postinstall: package.json → lib/setup.js → lib/worker.js. Credential harvesting:...

6.2AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/22 5:16 a.m.17 views

Malicious code in wrld-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...

5.9AI score
Exploits0References1
Snyk
Snyk
added 2026/05/22 2:43 a.m.15 views

Malicious Package

Overview python-env-auditor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Rows per page
Query Builder