Lucene search
K

48 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago6 views

Malicious code in rebrandly-domains-search-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d4464320c8530d582d35f85ce95045182d82e1dd63a830644bcb68f05bdf10e Package [email protected] is an empty module index.js exports an empty object whose package.json preinstall hook runs node...

5.8AI score
Exploits0References2
EUVD
EUVD
added 2026/06/09 3:51 a.m.13 views

EUVD-2026-35343

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery SSRF attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18...

4.2CVSS5.5AI score0.00123EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.12 views

PT-2026-47827

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

4.8CVSS5.5AI score0.0021EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.16 views

PT-2026-47679

Name of the Vulnerable Software and Affected Versions FastPicker versions prior to 1.0.3 Description The FastPicker plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the settingsPage function lacks proper nonce validation, which is a unique token used to verify th...

4.3CVSS5.3AI score0.00124EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/28 9:27 a.m.9 views

CVE-2026-9813

FlowIntel up to version 3.3.0 contains a server-side request forgery SSRF vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specifi...

6.2CVSS5.8AI score0.00232EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.12 views

genie 安全漏洞

Genie is a CLI tool developed by Automagik that automatically converts sentence-based requests into complete pull requests. Version 2.5.27 of Genie has a security vulnerability. This vulnerability stems from command injection in the viewtask parameter of the readTranscriptFromCommit function, whi...

8.1CVSS6.1AI score0.01008EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.17 views

PT-2026-38382

Name of the Vulnerable Software and Affected Versions Gotenberg versions 8.31.0 and earlier Description A Server-Side Request Forgery SSRF issue exists in the LibreOffice conversion endpoint "/forms/libreoffice/convert". While some SSRF hardening is present in the Go code, the application passes...

8.2CVSS5.8AI score0.00245EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.3 views

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6...

5CVSS5.8AI score0.00184EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/12 4:23 p.m.6 views

Malicious Package

Overview require-in-package is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/03/12 4:23 p.m.6 views

Malicious Package

Overview babel-compile-templates is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

9.8CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/03/04 8:55 p.m.3 views

GHSA-JVXV-2JJP-JXC3 Lemmy has unauthenticated SSRF via file_type query parameter injection in image endpoint

Summary The GET /api/v4/image/filename endpoint is vulnerable to unauthenticated SSRF through parameter injection in the filetype query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch...

8.7CVSS6.1AI score0.00272EPSS
Exploits0References4
OSV
OSV
added 2026/01/23 5:16 a.m.1 views

UBUNTU-CVE-2025-3839

A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this...

8CVSS6.2AI score0.00381EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/07 11:10 p.m.31 views

CVE-2019-25290 INIM Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF via GetImage

Smartliving SmartLAN/G/SI =6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through...

6.9CVSS0.00322EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/12/17 6:2 p.m.4 views

CVE-2023-53899

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation...

9.8CVSS7.2AI score0.0049EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2025/10/29 3:31 p.m.10 views

Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery

Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this endpoint does not require POST...

4.3CVSS6.7AI score0.0019EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2025/10/06 12:0 a.m.9 views

langchain-text-splitters 代码问题漏洞

langchain-text-splitters is a Python package open-sourced by LangChain. A code issue vulnerability exists in langchain-text-splitters version 0.3.8, which stems from the HTMLSectionSplitter class allowing the use of arbitrary XSLT stylesheets, which could lead to an XML External Entity Attack,...

7.5CVSS7.4AI score0.00612EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-24672

Malicious code in bioql PyPI...

8.3CVSS6.6AI score0.00359EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.30 views

EUVD-2025-28214

Malicious code in bioql PyPI...

3.5CVSS6.3AI score0.00214EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/08/22 5:29 a.m.14 views

CVE-2025-54551

Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the parameters of the...

5.3CVSS7.7AI score0.0023EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/08/20 4:57 a.m.7 views

CVE-2025-54551

Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the parameters of the...

5.3CVSS0.0023EPSS
Exploits0References2
Rows per page
Query Builder