CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/05/28 12:0 a.m.•14 views

Malicious code in @cloudplatform-single-spa/svp-tags (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

OSV•added 2026/05/28 12:0 a.m.•7 views

MAL-2026-4885 Malicious code in @cloudplatform-single-spa/aifactory-notebooks (npm)

OSV•added 2026/05/28 12:0 a.m.•12 views

MAL-2026-4965 Malicious code in @cloudplatform-single-spa/search (npm)

OSV•added 2026/05/28 12:0 a.m.•14 views

MAL-2026-4971 Malicious code in @cloudplatform-single-spa/solutions (npm)

OSSF Malicious Packages•added 2026/05/23 9:34 a.m.•12 views

Malicious code in ask-my-llm (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9429d8e8e36f3d97c246ce408491ea570ab5d3f5e7cb2481a3c2ea4b7c8477b8 index.js requires childprocess and contains hardcoded POST calls to https://cows.info.gf at lines 67 and 100, alongside references to process.env at...

OSV•added 2026/05/23 9:34 a.m.•5 views

Exploits0References3

MAL-2026-4484 Malicious code in ask-my-llm (npm)

Positive Technologies•added 2026/05/19 12:0 a.m.•11 views

Exploits0References3

PT-2026-42047

Name of the Vulnerable Software and Affected Versions @beproduct/nestjs-auth versions 0.1.2 through 0.1.19 Description An attacker used a compromised npm publish token to distribute malicious versions of the package containing payloads from the Mini Shai-Hulud npm supply-chain worm campaign. The...

10CVSS5.8AI score0.0007EPSS

Exploits0References9

OSSF Malicious Packages•added 2026/05/14 7:25 p.m.•8 views

Malicious code in joi-pack (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ca38e3574ffcb0fabb105616e28108137c8256e2c70aeede59623bca5df496a The package declares a postinstall hook "postinstall": "node postinstall.js" in package.json that runs unconditionally on npm install. The script's o...

OSV•added 2026/05/14 7:24 p.m.•6 views

Exploits0References3

MAL-2026-3758 Malicious code in dotenvv-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7 Package name dotenvv-tool impersonates the popular dotenv package; index.js is an admitted dummy stub "The real payload is in postinstall.js". The...

OSV•added 2026/05/07 12:0 a.m.•4 views

Exploits0References5

MAL-2026-3644 Malicious code in camelotlabs-worker (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

5.9AI score

Exploits0

Snyk•added 2025/09/23 10:0 p.m.•5 views

Malicious Package

Overview asyncprintln is a malicious package. Two malicious Rust crates, fasterlog impersonates the legitimate fastlog library and asyncprintln attempt to scan source files for Quoted Ethereum private keys 0x + 64 hex, Solana-style Base58 secrets and Bracketed byte arrays to later exfiltrate...

9.3CVSS7.1AI score

Exploits0References2

OSV•added 2024/08/26 7:15 a.m.•4 views

CVE-2024-45256

An arbitrary file write issue in the exfiltration endpoint in BYOB Build Your Own Botnet 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in fileadd in api/files/routes.py...

9.8CVSS5.9AI score0.05635EPSS

NVD•added 2024/08/26 7:15 a.m.•38 views

CVE-2024-45256

9.8CVSS0.05635EPSS

Vulnrichment•added 2024/08/26 12:0 a.m.•27 views

CVE-2024-45256

7.6AI score0.05635EPSS

CVE•added 2024/08/26 12:0 a.m.•134 views

CVE-2024-45256

CVE-2024-45256 affects BYOB (Build Your Own Botnet) 2.0. The issue is an arbitrary file write in the exfiltration endpoint (file_add in api/files/routes.py) that lets unauthenticated attackers overwrite SQLite databases and bypass authentication via a crafted HTTP parameter. Several sources confi...

9.8CVSS7.6AI score0.05635EPSS