6574 matches found
Froxlor < 0.10.38.2. - HTML Injection
HTML Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2. id: CVE-2022-3869 info: name: Froxlor TEST" matchers-condition: and matchers: - type: word part: body words: - 'The message to ""TEST" failed' - type: word part: header words: - "text/html" - type: status status: - 200 d...
Mosparo < 1.0.2 - Open Redirect
Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2. id: CVE-2023-5375 info: name: Mosparo 1.0.2 - Open Redirect author: shankaracharya severity: medium description: | Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2. impact: | Unauthenticated attackers can exploit...
Imgproxy < 3.14.0 - Cross-site Scripting (XSS)
Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0. id: CVE-2023-1496 info: name: Imgproxy 3.14.0 - Cross-site Scripting XSS author: pdteam severity: medium description: Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to...
CVE-2026-54069
creationtimestamp| type| source ---|---|--- 2026-06-17 04:18:47+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-54069.yaml...
MAL-2026-5697 Malicious code in web-model-bridge (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893 On npm install, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS,...
Malicious code in multica (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2 Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively require...
MAL-2026-5397 Malicious code in create-docs-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...
MAL-2026-5403 Malicious code in t-invest-mcp-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...
MAL-2026-4523 Malicious code in claude-channel-imessage (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...
MAL-2026-4644 Malicious code in power-platform-playwright-toolkit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57967d58233d74f2fc4f9b0dee7c050370eb388050df8d63f29e719f83468d73 On npm install, the package's postinstall script postinstall.js collects host identifiers and CI context — whoami, os.hostname, os.platform, cwd, CI,...
Malicious code in pewter-constants (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5 On npm install, a preinstall hook in callback.js collects os.hostname, os.userInfo.username, process.cwd, the configured npm registry...
Malicious code in dds-js-idl-types (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e8941c301603919022f1d67d311d576d5d5efcac7ed7cb0d3526cb71e829d6 On npm install, the package's postinstall.js runs whoami and reads os.hostname, os.platform, the current working directory, and CI-related environmen...
Malicious code in @hanssoft/baileys (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd This package is a fork of the WhatsApp library Baileys whose metadata homepage, repository, author points at the upstream @whiskeysockets/baileys,...
GO-2026-4953 goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs
goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs...
CVE-2026-46372
creationtimestamp| type| source ---|---|--- 2026-05-20 08:35:00+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-46372.yaml 2026-05-29 23:00:43+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmznc7rrtw23...
Astra Linux - уязвимость в grunt
The file.copy operations in GruntJS are vulnerable to a TOCTOU race condition, which can lead to arbitrary file writes in the GitHub repository gruntjs/grunt before version 1.5.3. This vulnerability allows for arbitrary file writes that can lead to local privilege escalation to the GruntJS user...
Astra Linux - уязвимость в vim
Heap-based Buffer Overflow in the GitHub repository vim/vim before version 8.2.4968...
PT-2026-42366
goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs...
PT-2026-42371
NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access in github.com/orneryd/nornicdb...
CVE-2026-44334
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAIALLOWLOCALTOOLS=true in two files toolresolver.py, api/call.py. A third import sink in praisonai/templates/tooloverride.py was missed and remains...