CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Malicious code in dttfdsdee (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5 The OpenSSF Package Analysis project identified 'dttfdsdee' @ 1.0.1 npm as malicious. It is considered malicious because: - The package...

5.9AI score

Exploits0

Malicious code in chai-as-synced (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071 Package name 'chai-as-synced' impersonates the well-known 'chai-as-promised'. On require, index.js spawns a detached, stdio-ignored Node child runnin...

5.8AI score

Malicious code in set-cookie-ease (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2bf656ba38b4d951239ee29799f510de4a8cb93fcf5d8005db4cd679a8631e6 Package masquerades as js-cookie same banner /! js-cookie v3.0.5 | MIT /, README, and repository.url: git://github.com/js-cookie/js-cookie.git but...

Malicious code in mongoose-json-format (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5 On require, helpers.js instantiates a Helper whose constructor invokes createLog. createLog base64-decodes the string assigned to HASHKEY decoding to...

NVD•added 1 hour ago•4 views

CVE-2026-8661

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdowntopdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted...

4.8CVSS

NVD•added 1 hour ago•4 views

CVE-2026-13226

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS

Cvelist•added 2 hours ago•6 views

CVE-2026-8661 Server-Side Cross-Site Scripting and SSRF in Rapid7 InsightConnect Markdown to PDF Plugin

4.8CVSS

ATTACKERKB•added 2 hours ago•5 views

CVE-2026-8661

4.8CVSS6.2AI score

Exploits0References3

CVE•added 2 hours ago•9 views

CVE-2026-8661

CVE-2026-8661 affects the Rapid7 InsightConnect Markdown Plugin (Linux) up to version 3.1.4. The vulnerability is in the markdown_to_pdf action and combines Server-Side Scripting (XSS) with Server-Side Request Forgery (SSRF). It allows remote attackers to execute JavaScript server-side and to tri...

4.8CVSS6.2AI score

EUVD•added 2 hours ago•5 views

EUVD-2026-39616

4.8CVSS6.2AI score

Malicious code in @dervix/ws (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69 Package @dervix/ws impersonates the popular ws WebSocket library — package.json copies the legitimate ws project's homepage...

6.1AI score

Malicious code in wellnpm (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8e91f40e7af1730f15a357bb3074c7d208765ba41598c35373ed5b3b374d607a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.8AI score

Malicious code in animatecss-postcss-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7 [email protected] ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder functions...

RedhatCVE•added 2 hours ago•4 views

CVE-2026-53160

A flaw was found in the Linux kernel's fastrpc component. A race condition in the fastrpcmapcreate function allows for a use-after-free vulnerability. This could enable an attacker to cause system instability, disclose sensitive information, or potentially execute unauthorized code...

5.7AI score0.00172EPSS

Exploits0References4

Cvelist•added 2 hours ago•4 views

CVE-2026-13226 Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter

6.5CVSS

EUVD•added 2 hours ago•5 views

EUVD-2026-39615

6.5CVSS6AI score

ATTACKERKB•added 2 hours ago•3 views

CVE-2026-13226

6.5CVSS6AI score

Exploits0References9

CVE•added 2 hours ago•5 views

CVE-2026-13226

CVE-2026-13226 affects the Groundhogg WordPress plugin (CRM/Newsletters/Marketing Automation) up to version 4.5.4. It exposes a generic SQL Injection via the vulnerable 'after' parameter caused by insufficient escaping and lack of proper preparation in the existing SQL query. The issue allows aut...

6.5CVSS6AI score

RedhatCVE•added 2 hours ago•3 views

CVE-2026-53233

A flaw was found in the Linux kernel. A double-free vulnerability exists within the netdevnlbindrxdoit function, which is responsible for binding network device receive operations. This vulnerability arises when genlmsgreply consumes the socket buffer skb, and the error handling path subsequently...

7CVSS6.2AI score0.00175EPSS

Exploits0References4

Malicious code in @help-forms/application-aff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab5ab5493acb5b3ffcab7f80dbdf34e1485bbe5d5d03978949199cdabf6f676a @help-forms/[email protected] ships a heavily obfuscated postinstall script scripts/postinstall.js, obfuscator.io fingerprints: rotated string...