Lucene search
K

5492 matches found

Nuclei
Nuclei
added 13 hours ago98 views

Express-handlebars - Local File Inclusion

Express-handlebars is susceptible to local file inclusion because it mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential...

8.6CVSS7AI score0.17988EPSS
Exploits1
Nuclei
Nuclei
added yesterday216 views

mongo-express Remote Code Execution

mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the toBSON method and misuse the vm dependency to perform exec commands in a non-safe environment. id: CVE-2019-10758 info: name: mongo-express Remote Code Execution author: princechaddha severity: critical...

9.9CVSS7.4AI score0.84845EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday247 views

Wordpress Email Subscribers by Icegram Express - SQL Injection

The Email Subscribers by Icegram Express - Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IGESSubscribersQuery' class in all versions up to, and including, 5.7.14 due to insufficient escaping ...

9.8CVSS7.1AI score0.80596EPSS
Exploits4References2
Nuclei
Nuclei
added yesterday17 views

Mitel MiCollab - Information Disclosure & Denial of Service

Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 contain a vulnerability in the TP-240 component caused by improper handling, letting remote attackers obtain sensitive information and cause denial of service, exploit requires remote access. id: CVE-2022-26143 info: name:...

9.8CVSS7.1AI score0.87565EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday193 views

Mongo-Express - Remote Code Execution

Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...

9.8CVSS7.4AI score0.74519EPSS
Exploits0References5
NVD
NVD
added 5 days ago7 views

CVE-2026-59148

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS0.00173EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago8 views

Malicious code in express-router-engine (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70 The sole shipped file index.js is a heavily obfuscated RC4 + base64 string-array, 337-entry rotated array, control-flow flattening IIFE that executes...

6.1AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago17 views

Malicious code in tslint-conf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31b464b1646f8e2d36ce68a86af599cc49d5381f08af70302ff01f42957234a1 The package presents itself as the pino logger README, index.d.ts, docs/, and lib/ files all reference pinojs/pino but is published under the unrelat...

6.2AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/07 6:27 a.m.7 views

Malicious code in express-deflect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 284d3f4c5f55f69391b1172ba9d2c714e3ae358a2c92a501049a1495547e1588 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References3
OSV
OSV
added 2026/07/07 6:27 a.m.3 views

MAL-2026-6908 Malicious code in express-deflect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 284d3f4c5f55f69391b1172ba9d2c714e3ae358a2c92a501049a1495547e1588 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/07 12:0 a.m.6 views

Malicious code in express-mongo-limit (npm)

The npm package express-mongo-limit masquerades as an Express/MongoDB payload sanitization middleware likely typosquatting express-mongo-sanitize but is a credential stealer, remote-code-execution backdoor, crypto clipboard hijacker, and screenshot spyware. It declares a postinstall: node index.j...

6.2AI score
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 6:53 p.m.8 views

Malicious code in express-guardrail (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 40e91ddac990897c8c43891c5abf64696a0e9d9d4b168e7a6e5f4a827e4f040d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.9AI score
Exploits0References1
OSV
OSV
added 2026/07/06 6:53 p.m.6 views

MAL-2026-6821 Malicious code in express-guardrail (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 40e91ddac990897c8c43891c5abf64696a0e9d9d4b168e7a6e5f4a827e4f040d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.9AI score
Exploits0References1
OSV
OSV
added 2026/07/02 3:24 p.m.10 views

USN-8492-2 linux-aws-6.8, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm-6.8, linux-nvidia-lowlatency, linux-oracle-6.8 vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - MIPS architecture; - PowerPC architecture; - x86 architecture; - Block layer subsystem; -...

9.8CVSS6.4AI score0.00686EPSS
Exploits4References300
CVE
CVE
added 2026/07/02 11:15 a.m.16 views

CVE-2026-57352

CVE-2026-57352 concerns the WordPress plugin ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce (

4.8CVSS5.8AI score0.0021EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40433

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS5.8AI score0.0036EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 11:17 p.m.7 views

CVE-2026-56278

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS0.0036EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.30 views

CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS0.0036EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/30 10:8 p.m.7 views

CVE-2026-56278

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS5.8AI score0.0036EPSS
Exploits0References3
CVE
CVE
added 2026/06/30 10:8 p.m.17 views

CVE-2026-56278

Flowise before 3.1.0 (affected: 3.0.13 and earlier) uses a weak hardcoded default session secret ('flowise') for express-session when EXPRESS_SESSION_SECRET is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because the secret is publicly visible in the source, an attacker ...

9.3CVSS5.8AI score0.0036EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder