CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/20 3:38 p.m.•7 views

GHSA-M837-XVXR-VQWG Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage

Summary The TTS generation endpoint sets Access-Control-Allow-Origin: as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials. Root Cause typescript //...

6.9CVSS5.8AI score

Exploits0References2

OSSF Malicious Packages•added 2026/05/20 2:6 p.m.•9 views

Malicious code in @bcrumbs.net/bc-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4bd9ccff2d027c9982ab41ff4b4417e62475e70aba04212794f267030f63ab0 The exported BCChat React component embeds a hardcoded Azure Blob SAS URL https://bcuserres.blob.core.windows.net/anonymous with a long-lived SAS tok...

OSV•added 2026/05/20 2:6 p.m.•6 views

MAL-2026-4367 Malicious code in @bcrumbs.net/bc-chat (npm)

OSSF Malicious Packages•added 2026/05/20 12:27 p.m.•11 views

Malicious code in naileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53307e8df479525765ddef8cf9a54dcf0aa368b8ef57a088b624a5e80f72c999 naileys is a fork/lookalike of the WhatsApp library baileys single-character edit; internal references still mention 'wileys', and...

OSSF Malicious Packages•added 2026/05/20 11:37 a.m.•9 views

Malicious code in libhmac (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fccbd481dd2bd04274c5045995a08ddbcf302780c24f39eb63821d5d63a998d1 The PyPI name 'libhmac' matches the well-known libyal/libhmac C forensics library HMAC primitive, but the package contents have nothing to do with HM...

OSSF Malicious Packages•added 2026/05/20 11:18 a.m.•13 views

Exploits0References2

Malicious code in bitrix24-tasks-mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab6892c4cbccd8f2a92bfc67413a5c5c300a691b104e064f126805e66a3842f build/bitrix24/client.js line 6-7 declares const BITRIX24WEBHOOKURL = process.env.BITRIX24WEBHOOKURL ||...

OSSF Malicious Packages•added 2026/05/20 10:2 a.m.•7 views

Exploits0References5

Malicious code in klaudius (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b40ecfc7aa434ac63d620d4aaab0434dd57b0fac274bb9f5d1514e263be4a3 The package's CLI bundle dist/bin.js and an associated chunk dist/chunk-SZ4KCTSL.js contain hardcoded fetch POST calls to https://api.telegram.org, t...

OSV•added 2026/05/20 10:2 a.m.•4 views

Exploits0References6

MAL-2026-4593 Malicious code in klaudius (npm)

OSSF Malicious Packages•added 2026/05/20 9:46 a.m.•6 views

Exploits0References6

Malicious code in svharness (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3aef9a7535c16df930fdb10e5b60773f5ba2e0a8cd102d53a4cc3da122cfd473 When the documented svharness build --baseline or svharness wizard command is run, the tool's default 'tasks' wiki mode scans and bundles the caller'...

OSV•added 2026/05/20 9:46 a.m.•5 views

MAL-2026-4676 Malicious code in svharness (npm)

OSSF Malicious Packages•added 2026/05/20 8:31 a.m.•8 views

Malicious code in @semacode/cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 28a3662b8e26593b7bfec35d4d4f02595144885ee738891c4c9e6a89f9e50fbb The bundled CLI dist/index.js contains a hardcoded outbound POST to https://sema.otimitare.online combined with reads of process.env and...

OSV•added 2026/05/20 8:31 a.m.•8 views

MAL-2026-4434 Malicious code in @semacode/cli (npm)

OSV•added 2026/05/20 8:20 a.m.•7 views

MAL-2026-4500 Malicious code in bricks-builder-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7ad643457c1104b8f118971a9ee95702f2126a16f33a4ec9dfd8ed21c43fc1eb bricks-builder-mcp is a Model Context Protocol server exposing WordPress/Bricks Builder editing tools page JSON edits, media uploads, custom CSS/JS...

OSSF Malicious Packages•added 2026/05/20 8:20 a.m.•8 views

Exploits0References4

Malicious code in bricks-builder-mcp (npm)

OSSF Malicious Packages•added 2026/05/20 7:54 a.m.•7 views

Exploits0References4

Malicious code in use-context-selector-tony (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6dde262b1fecc08fe5853c4ec7ada6c3c3746a6e7afb5bd18c33d5adfa03843c This package is a name-squat of the popular use-context-selector library and ships a postinstall script dist/postinstall.js / src/postinstall.js that...

AstraLinux•added 2026/05/20 5:53 a.m.•5 views

Astra Linux - уязвимость в cloud-init

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded URL with a local IP address. To prevent this, cloud-init’s default configurations disable platform enumeration...

8.8CVSS5.4AI score0.00205EPSS

Exploits0References2

OSSF Malicious Packages•added 2026/05/20 5:38 a.m.•10 views

Malicious code in promptbook-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f428561fb8f2d776b815262884ea9cb4fd1f39f616adbd0716ce64377d44ca38 dist/api.js contains a hardcoded outbound fetch to https://promts.newtechcompany.ru that carries data derived from process.env. The destination is an...

OSV•added 2026/05/20 5:38 a.m.•9 views

MAL-2026-4648 Malicious code in promptbook-cli (npm)

OSSF Malicious Packages•added 2026/05/20 5:31 a.m.•6 views

Malicious code in promptbook-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1223e123a8bd5b550647d800b438b2c5a78f3e10c9d1ab7a6a7cdbd8be465b90 dist/api.js contains a hardcoded URL https://promts.newtechcompany.ru referenced alongside process.env reads and a fetch call at line 44. The package...