CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Hacker One•added 2026/04/18 11:22 p.m.•7 views

curl: Use-after-free in `curl_easy_ssls_export()` during callback re-entrancy

Summary: curleasysslsexport iterates the SSL session list and invokes a caller-provided callback for each entry. If that callback calls curleasysslsimport on the same easy handle, the import path can evict and free the current session node while the export loop still holds it. The subsequent...

5.5AI score

OSSF Malicious Packages•added 2026/04/18 10:47 p.m.•3 views

Malicious code in mylib-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8cc746751844570c4d9de0acc1fc4aba45c1316434c664fc70711749720f88f1 During import, a remote executable is automatically started. During analysis, the executable only showed a basic message. It's likely experimenting with...

6AI score

OSV•added 2026/04/18 10:47 p.m.•4 views

MAL-2026-2860 Malicious code in mylib-utils (PyPI)

6AI score

NVD•added 2026/04/17 10:16 p.m.•2 views

CVE-2026-40258

The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability Zip Slip in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with...

9.1CVSS0.00074EPSS

NVD•added 2026/04/17 9:16 p.m.•0 views

CVE-2026-40301

DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize allows elements in SVG content but never inspects their text content. CSS url references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to...

4.7CVSS0.00034EPSS

ATTACKERKB•added 2026/04/17 9:12 p.m.•1 views

CVE-2026-40258

9.1CVSS5.9AI score0.00074EPSS

Exploits0References4Affected Software1

Cvelist•added 2026/04/17 9:12 p.m.•21 views

CVE-2026-40258 Gramps Web API has Zip Slip Path Traversal in Media Archive Import

9.1CVSS0.00074EPSS

CVE•added 2026/04/17 9:12 p.m.•6 views

CVE-2026-40258

CVE-2026-40258 affects Gramps Web API (gramps-webapi). Versions 1.6.0–3.11.0 contain a Zip Slip path traversal vulnerability in the media archive import feature. An authenticated user with owner-level privileges can craft a ZIP with directory-traversal filenames to write arbitrary files outside t...

9.1CVSS5.9AI score0.00074EPSS

Vulnrichment•added 2026/04/17 8:51 p.m.•1 views

CVE-2026-40301 rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

4.7CVSS5.7AI score0.00034EPSS

Cvelist•added 2026/04/17 8:51 p.m.•16 views

CVE-2026-40301 rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives

4.7CVSS0.00034EPSS

CVE•added 2026/04/17 8:51 p.m.•5 views

CVE-2026-40301

Summary of CVE-2026-40301 : The PHP library rhukster/dom-sanitizer (and related advisories) contains a flaw prior to version 1.0.10 where DOMSanitizer::sanitize() does not inspect the text content of elements inside SVG. As a result, CSS rules using url() and @import can reference attacker-contr...

4.7CVSS5.7AI score0.00034EPSS

EUVD•added 2026/04/17 6:31 a.m.•1 views

EUVD-2026-23358

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubiorestpreinsertimportassets function, which is hooked to the restpreinsertposttype filter for posts, pages, templates, and template...

5.3CVSS5.7AI score0.00018EPSS

Exploits0References9

CNNVD•added 2026/04/17 12:0 a.m.•5 views

Gramps Web API 安全漏洞

Gramps Web API is a backend API for genealogy data querying and management, open-sourced by the Gramps Project. Versions of Gramps Web API from 1.6.0 to 3.11.0 contained security vulnerabilities. These vulnerabilities were caused by path traversal in the media archive import function, which could...

9.1CVSS5.9AI score0.00074EPSS

Tenable Nessus•added 2026/04/17 12:0 a.m.•3 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007296)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007296 advisory. In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix a memleak in gssimportv2context The ctx-mechused.data allocated by kmemdup is not fre...

5.5CVSS6.4AI score0.00009EPSS

Exploits0References4

OSV•added 2026/04/16 10:9 a.m.•1 views

MAL-2026-2790 Malicious code in package-with-import-assertions (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 607b154dcfd87f209bf01efe33fdd864fe77432b9c7a246b4520d137236afe1c The package package-with-import-assertions was found to contain malicious code...

5.7AI score

OSSF Malicious Packages•added 2026/04/16 10:9 a.m.•2 views

Malicious code in package-with-import-assertions (npm)

5.7AI score

OSV•added 2026/04/15 10:5 p.m.•4 views

MAL-2026-2899 Malicious code in chai-use-chains (npm)

chai-use-chains is a malicious npm package that when imported downloads a C2 dropper from https://jsonkeeper.com/b/FAWPU and executes it similar to malware in to chai-await-test. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

5.7AI score

Exploits0References1

OSV•added 2026/04/15 10:5 p.m.•1 views

MAL-2026-2893 Malicious code in chai-as-mobj (npm)

chai-as-mobj is a malicious npm package that when imported downloads a C2 dropper from https://api.npoint.io/31bccfbf4ee2732207a4 and executes it similar to malware in to chai-await-test. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

5.5AI score