CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 5 days ago•8 views

CVE-2026-13006

A flaw was found in logback-core, a logging framework for Java applications. This vulnerability allows an attacker with existing privileges and write access to a configuration file, or the ability to inject a malicious environment variable, to execute arbitrary code. This can be achieved by...

OSV•added 5 days ago•4 views

Exploits0References4

MAL-2026-6467 Malicious code in @vpms/design-system (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 43ce5813fba2660b094a3e8a5c5a0bf2f1972530c294830c0a2e3d15dcd1b096 package.json declares preinstall="node index.js". On every npm install, index.js iterates process.env and harvests any variable whose name contains...

5.8AI score

Exploits0References5

ATTACKERKB•added 5 days ago•5 views

CVE-2026-55180

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...

6.5CVSS5.8AI score0.00205EPSS

Exploits1References2Affected Software1

Cvelist•added 5 days ago•16 views

CVE-2026-54024 LibreChat: Incomplete Fix for CVE-2024-11171 — Conversation Import Multer Instance Missing File Size Limits

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 commit bb58a2d0 added limits: fileSize to createMulterInstance in the file upload routes. However, the POST /api/convos/import endpoint uses a separate multer instance that w...

6.5CVSS0.00235EPSS

Exploits1References1

OSV•added 6 days ago•2 views

DEBIAN-CVE-2026-13006

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.35 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

NVD•added 6 days ago•15 views

CVE-2026-13006

7CVSS0.00122EPSS

Debian CVE•added 6 days ago•5 views

CVE-2026-13006

Cvelist•added 6 days ago•33 views

Exploits0

CVE-2026-13006 Incomplete protection against CVE-2025-11226

7CVSS0.00122EPSS

ATTACKERKB•added 6 days ago•7 views

CVE-2026-13006

Exploits0References3Affected Software1

Vulnrichment•added 6 days ago•4 views

CVE-2026-13006 Incomplete protection against CVE-2025-11226

CVE•added 6 days ago•38 views

CVE-2026-13006

CVE-2026-13006 affects Java applications using logback-core up to version 1.5.34. The issue arises in conditional configuration file processing, allowing an attacker to execute arbitrary code while bypassing protections against CVE-2025-11226. A successful attack requires Janino on the classpath ...

EUVD•added 6 days ago•6 views

EUVD-2026-38691

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

7CVSS6.2AI score0.00181EPSS

Positive Technologies•added 6 days ago•10 views

PT-2026-51676

Name of the Vulnerable Software and Affected Versions logback-core versions prior to 1.5.35 Description An arbitrary code execution issue exists in the conditional configuration file processing of Java applications. An attacker can execute arbitrary code by compromising an existing logback...

7CVSS6.5AI score0.00122EPSS

Exploits0References11

OSSF Malicious Packages•added 2026/06/22 7:54 a.m.•8 views

Malicious code in inversiones-common (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 347a767ebbbb5843e6b005c167d98c9ab7b3ea943fadd88401682f2a2b14b2a4 setup.py executes a beacon function at module top level before setup is called, so the payload fires automatically on pip install inversiones-common...

6.1AI score

Exploits0References3

AstraLinux•added 2026/06/19 11:10 a.m.•4 views

Astra Linux – Vulnerability in grub2

A flaw was discovered in grub2. During the network boot process, when attempting to search for the configuration file, grub copies data from a user-controlled environment variable into an internal buffer using the grubstrcpy function. During this step, it fails to consider the length of the...

7.6CVSS7.5AI score0.01373EPSS

AstraLinux•added 2026/06/19 11:10 a.m.•3 views

Astra Linux – Vulnerability in mtr

In certain privileged contexts, mtr improperly handles the execution of a program specified by the MTRPACKET environment variable. NOTE: On macOS, mtr may often be subject to sudo rules, as a result of Homebrew not installing setuid binaries...

7.8CVSS5.6AI score0.00142EPSS

NVD•added 2026/06/18 11:16 p.m.•11 views

CVE-2026-56075

PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approvalmode to auto, overriding administrator configuration from PRAISONAPPROVALMODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary...

8.8CVSS0.00476EPSS

Cvelist•added 2026/06/18 10:12 p.m.•21 views

CVE-2026-56075 PraisonAI - Arbitrary Shell Command Execution via Hardcoded Approval Mode Override

8.8CVSS0.00476EPSS

Snyk•added 2026/06/18 8:41 p.m.•7 views

Untrusted Search Path

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Untrusted Search Path via the PATH environment variable influencing the selection of the trash executable during maintenance tasks. An attacker can execute unintended local executables by...

7.2CVSS5.9AI score0.00119EPSS