Lucene search
K

2576 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago4 views

Malicious code in cookie-parser-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the...

6.6AI score
Exploits0References7
NVD
NVD
added 3 days ago7 views

CVE-2026-56273

Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store data to arbitrary filesystem locations, potentially...

6.5CVSS0.0033EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 3 days ago9 views

kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

A flaw was found in the Linux kernel's NFSv4.0 server nfsd. A remote, unauthenticated attacker can exploit this heap overflow vulnerability in the NFSv4.0 LOCK replay cache. By using two cooperating NFSv4.0 clients, where one sets a lock with a large owner string and another requests a conflictin...

9.8CVSS6.6AI score0.0049EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56272

Name of the Vulnerable Software and Affected Versions DBI versions prior to 1.650 Description Code injection is possible via a caller-influenced Profile attribute. When a string is assigned to this attribute, the software splits it into path, package, and arguments, then interpolates the package...

8.8CVSS6.6AI score0.00487EPSS
Exploits0References14
OSV
OSV
added 5 days ago5 views

GHSA-QRWJ-VH9X-GW5V Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write

Summary agentConn.apiClient used the default redirect behavior of http.Client while its custom transport dialed the host from the request URL as long as the port was the workspace agent HTTP API port 4. Agent tailnet IPs are deterministic from agent UUIDs, so a malicious workspace agent could...

8.3CVSS6.2AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 5 days ago5 views

CVE-2026-8925

A flaw was found in curl. The logic handling SASL Simple Authentication and Security Layer authentication could lead to a double-free vulnerability. This occurs because the GSASL context may be deallocated twice without clearing the pointer, potentially leading to memory corruption. An attacker...

9.8CVSS6AI score0.0108EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 5 days ago5 views

CVE-2026-50015

A flaw was found in pnpm. An attacker can exploit this by contributing a malicious patch file through a pull request. During the pnpm install process, the patch application pipeline fails to validate file paths extracted from these patch files. This allows the attacker to write or delete arbitrar...

7.3CVSS6.5AI score0.0027EPSS
Exploits1References4
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-43867 Apache Camel: Camel-PQC: The AWS Secrets Manager key-lifecycle manager deserializes persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata reads that metadata back from the...

0.00691EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago7 views

PT-2026-55895

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.18.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.x Description Deserialization of untrusted data in the Apache Camel PQC component occurs when HashicorpVaultKeyLifecycleManager,...

8.8CVSS6.7AI score0.00485EPSS
Exploits0References5
OSV
OSV
added last week7 views

MGASA-2026-0234 Updated yt-dlp packages fix security vulnerabilities

CVE-2026-50019 If curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. CVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote attacker to write...

9.6CVSS6.5AI score0.00555EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2026/07/02 12:0 a.m.4 views

Mozilla Firefox < 152.0.4

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 152.0.4. It is, therefore, affected by a vulnerability as referenced in the mfsa2026-62 advisory. - Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we presu...

9.8CVSS6.2AI score0.00232EPSS
Exploits0References2
NVD
NVD
added 2026/06/30 11:16 p.m.4 views

CVE-2025-71371

picklescan before 0.0.29 fails to detect malicious pickle files using code.InteractiveInterpreter.runcode in reduce methods. Attackers can craft pickle payloads that bypass picklescan detection and execute arbitrary code when loaded via pickle.load...

8.1CVSS0.00499EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/25 6:2 p.m.6 views

CVE-2026-53078

A flaw was found in the Linux kernel's Berkeley Packet Filter BPF socket operations sockops program. When a BPF sockops program accesses context fields with the same destination and source registers, certain macros fail to properly clear the destination register. This can lead to a...

7.8CVSS6.2AI score0.00112EPSS
Exploits0References4
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.6 views

Astra Linux – Vulnerability in busybox

A flaw was discovered in BusyBox. Incomplete path sanitization in its archive extraction utilities allows attackers to create malicious archives. When these archives are extracted, and under certain conditions, they may write to files outside of the intended directory. This can lead to arbitrary...

7CVSS7.6AI score0.00682EPSS
Exploits2References2
Github Security Blog
Github Security Blog
added 2026/06/23 9:21 p.m.94 views

jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation

jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters i.e. the type ID string contains when only java.util.ArrayList is allow-listed. The container...

8.1CVSS6.2AI score0.00617EPSS
Exploits1References4Affected Software2
NVD
NVD
added 2026/06/23 8:16 p.m.6 views

CVE-2026-54325

Pi is a minimal terminal coding harness. Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript modules loaded...

4.4CVSS0.00118EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:12 p.m.5 views

CVE-2026-56258

Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use TOCTOU attacks on the outputpath parameter. Remote attackers can...

9.2CVSS6.5AI score0.00656EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/06/22 3:17 a.m.9 views

firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume...

8.1CVSS5.9AI score0.00407EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/21 3:13 p.m.4 views

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the cProfile.runctx function in pickle file reduce methods. An attacker can execute arbitrary code by...

8.1CVSS6.2AI score0.00338EPSS
Exploits1References2
OSV
OSV
added 2026/06/19 3:12 p.m.5 views

GHSA-VCV2-R9JH-99M5 Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync

Summary agentic-flow versions = 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters e.g. agent, task, name, language, agentdb arguments directly into shell command strings passed to execSync. A malicious value reaching any of the affected MCP tools could break out of the...

8.8CVSS6.1AI score
Exploits0References8
Rows per page
Query Builder