CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/05/26 8:14 p.m.•6 views

CVE-2026-33137

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/wikiName API executes a XAR import without...

9.3CVSS5.7AI score0.00016EPSS

Exploits1References1

Github Security Blog•added 2026/05/26 6:58 p.m.•10 views

XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

Impact POST /wikis/wikiName executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki Patches This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and...

9.3CVSS5.8AI score0.00016EPSS

Exploits1References5Affected Software1

OSV•added 2026/05/26 6:58 p.m.•7 views

GHSA-QRVH-R3F2-9H4R XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

9.3CVSS5.8AI score0.00016EPSS

Exploits1References5

OSSF Malicious Packages•added 2026/05/26 3:9 p.m.•15 views

Malicious code in cdktn-provider-datadog (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29ce930466b101c48ae641d7e4ad57f3d5169b9f14b1e041e4264e75cbfd965b Package name cdktn-provider-datadog is a single-character variant f→n of HashiCorp's widely-used cdktf-provider-datadog CDKTF provider. README and...

5.9AI score

OSV•added 2026/05/26 9:37 a.m.•2 views

MAL-2026-4813 Malicious code in noteparse (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 270d4c797fe34bc0b9598608f45add8721f1fa80d1488e4fae750e3a7b38419e noteparse 1.1.27 ships live MinIO credentials in configReader.py endpoint uicfile.uniview.com, accesskey 'uicpro', secretkey 'uicpropass123' that are...

OSSF Malicious Packages•added 2026/05/26 9:37 a.m.•8 views

Malicious code in noteparse (PyPI)

OSSF Malicious Packages•added 2026/05/26 8:46 a.m.•11 views

Malicious code in react-json-chalk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3411327be0927b7a726464d2bd9a590ff4ca61bc08e9170e4c0e482dc18dac2 On require'react-json-chalk', lib/writer.js executes top-level code that attempts require'modustack'; if not resolvable, it shells out to npm install...

OSV•added 2026/05/26 8:46 a.m.•5 views

MAL-2026-4792 Malicious code in react-json-chalk (npm)

OSV•added 2026/05/26 7:16 a.m.•4 views

MAL-2026-4785 Malicious code in test-nonmal-pkg-5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f52d81c9285fd103cfe5f8dc724c173c1b4e57e96cd56313cec119fbbbc9982 index.js is hex-name-obfuscated 0x-style string array and, on require, enumerates the entire process.env via Object.keysprocess.env into a snapshot...

OSSF Malicious Packages•added 2026/05/26 7:16 a.m.•13 views

Malicious code in test-nonmal-pkg-5 (npm)

Amazon•added 2026/05/26 12:0 a.m.•12 views

Important: python-pip

Issue Overview: pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update...

5.3CVSS5.8AI score0.00017EPSS

Exploits0

Positive Technologies•added 2026/05/26 12:0 a.m.•7 views

PT-2026-43405

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work flow template Import. Authenticated users can supply arbitrary URLs in work flow template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed i...

6.3CVSS5.9AI score0.00043EPSS

GithubExploit•added 2026/05/25 6:10 p.m.•78 views

Exploit for CVE-2026-33137

CVE-2026-33137 XWiki Platform - Unauthenticated XAR Import...

9.3CVSS6AI score0.00016EPSS

Exploits1

OSSF Malicious Packages•added 2026/05/25 3:26 p.m.•11 views

Malicious code in jsontoken-extend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59a8a8ab722d33bdd2ea25422aaf7e607a1b1a881446c3561ec8225fb9187742 On require/import of jsontoken-extend, sign.js executes a top-level IIFE that base64-decodes a hardcoded string to https://www.jsonkeeper.com/b/XAMRK...

6.5AI score

OSV•added 2026/05/25 3:26 p.m.•3 views

MAL-2026-4592 Malicious code in jsontoken-extend (npm)

6.5AI score

RedhatCVE•added 2026/05/25 11:24 a.m.•15 views

CVE-2026-42046

A flaw was found in libcaca, a colour ASCII art library. An integer overflow vulnerability in the canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write by supplying a specially crafted file in the "caca" format. This heap overflow can lead to memory...

7.8CVSS6.1AI score0.00086EPSS

Patchstack•added 2026/05/25 7:28 a.m.•7 views

WordPress LJ comments import: reloaded plugin <= 0.97.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin LJ comments import: reloaded versions = 0.97.1...

6.1CVSS5.8AI score0.00089EPSS

Exploits0References1Affected Software1

OSSF Malicious Packages•added 2026/05/25 1:25 a.m.•12 views

Malicious code in pylogkt (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa1c9e5bf0ffd994f076a4a76395b5bcccd2716229439910912bd49aaf52f903 The package masquerades as a logging utility but every call to its logging API log.info/debug/etc triggers Logger.log, which on macOS hosts paths...

6.3AI score

OSV•added 2026/05/25 1:25 a.m.•7 views

MAL-2026-4291 Malicious code in pylogkt (PyPI)

6.3AI score