Lucene search
+L

10353 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/10 4:15 p.m.16 views

Malicious code in theta-sdk-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6967c021e95228b33b18be4489fea5d404720cbd21beb53dac8bf7ea4f4d54d1 [email protected] ships src/decrypt.js and src/providers/BaseProvider.js which together implement a hidden execution channel. On module load,...

6.2AI score
Exploits0References5
CVE
CVE
added 2026/07/10 3:28 p.m.16 views

CVE-2026-55500

CVE-2026-55500 (9router) exposes a critical flaw in the /api/settings/database endpoint. The GET export returns the entire database, including plaintext API keys, OAuth tokens, and provider credentials, while POST can wipe-and-replace the database with attacker-controlled data. This bypasses auth...

9.9CVSS6.1AI score0.00685EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/10 3:5 p.m.8 views

EUVD-2026-42924

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chatpipeline/step/chatstep/impl/basechatstep.py do not consistently validate MCP transport type, allowing an...

8.8CVSS6.2AI score0.00384EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/10 3:5 p.m.30 views

CVE-2026-54149 MaxKB MCP tool import validation bypass allows post-authentication remote code execution

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chatpipeline/step/chatstep/impl/basechatstep.py do not consistently validate MCP transport type, allowing an...

8.8CVSS0.00384EPSS
Exploits0References2
CVE
CVE
added 2026/07/10 3:5 p.m.13 views

CVE-2026-54149

MaxKB is affected by CVE-2026-54149 prior to version 2.10.0-lts. The vulnerability resides in tool import validation (apps/tools/serializers/tool.py) and MCP referencing mode (apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py), where MCP transport type is not consistently valid...

8.8CVSS6.2AI score0.00384EPSS
Exploits0References2
OSV
OSV
added 2026/07/10 3:5 p.m.4 views

CVE-2026-54149 MaxKB MCP tool import validation bypass allows post-authentication remote code execution

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chatpipeline/step/chatstep/impl/basechatstep.py do not consistently validate MCP transport type, allowing an...

8.8CVSS6.2AI score0.00384EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/10 1:58 p.m.3 views

CVE-2026-61437

PraisonAI pip package praisonaiagents before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow.resolvepydanticclass src/praisonai-agents/praisonaiagents/workflows/workflows.py. When a workflow step uses a string outputpydantic reference, the framework locates and imports...

8.5CVSS6.3AI score0.00129EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 1:58 p.m.9 views

CVE-2026-61437

CVE-2026-61437 : PraisonAI (pip package praisonaiagents) prior to 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow.resolve_pydantic_class. When a workflow step uses a string output_pydantic reference, the framework imports a sibling tools.py from the workflow directory ...

8.5CVSS6.3AI score0.00129EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/10 8:30 a.m.36 views

CVE-2026-15026 Import and export users and customers <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via email_template_selected AJAX Action

The Import and export users and customers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.0 via the emailtemplateselected. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the...

4.3CVSS0.00223EPSS
Exploits0References8
CVE
CVE
added 2026/07/10 8:30 a.m.11 views

CVE-2026-15026

The CVE concerns the WordPress plugin “Import and export users and customers” (versions

4.3CVSS6.2AI score0.00223EPSS
Exploits0References8
NVD
NVD
added 2026/07/10 4:17 a.m.6 views

CVE-2026-13430

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/07/10 3:31 a.m.36 views

CVE-2026-13430 Post Export Import with Media <= 1.13.1 - Authenticated (Administrator+) Arbitrary File Upload via Trailing-Dot Filename Bypass in ZIP Media Import

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/07/10 3:31 a.m.6 views

CVE-2026-13430

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS6.6AI score0.00615EPSS
Exploits0References8
CVE
CVE
added 2026/07/10 3:31 a.m.12 views

CVE-2026-13430

The WordPress plugin Post Export Import with Media (versions up to 1.13.1) is vulnerable to Arbitrary File Upload. The root cause is insufficient file extension validation during ZIP import: the extension allow-list check in ajax_import_media_start() uses pathinfo() on the raw ZIP entry name, so ...

7.2CVSS6.6AI score0.00615EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.9 views

PT-2026-57209

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.10.0-lts Description An issue exists where the tool import functionality in apps/tools/serializers/tool.py and the MCP referencing mode in apps/application/chat pipeline/step/chat step/impl/base chat step.py do not...

8.8CVSS6.2AI score0.00384EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.11 views

PT-2026-57325

Name of the Vulnerable Software and Affected Versions Frappe versions prior to 16.23.0 Frappe versions prior to 15.112.0 Description A TarSlip Remote Code Execution RCE issue exists in the Package Import feature. This occurs because members of tarfiles are not sufficiently validated before...

8.6CVSS6.3AI score0.00457EPSS
Exploits0References13
Patchstack
Patchstack
added 2026/07/09 7:58 p.m.6 views

WordPress Import and export users and customers plugin <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by Tiago Ventura perses in WordPress Plugin Import and export users and customers versions = 2.4.0...

4.3CVSS6.1AI score0.00223EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/07/09 6:42 p.m.2 views

SUSE-SU-2026:2830-1 Security update for warewulf4

This update for warewulf4 fixes the following issues: Update to v4.7.0. Security issues fixed: - CVE-2025-69725: incorrect input validation in the RedirectSlashes function can lead to an open redirect bsc1258511. - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when giv...

9.6CVSS6.5AI score0.00781EPSS
Exploits0References11
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/09 3:28 p.m.13 views

Malicious code in tailwind-animate-v4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd43366b04ea80c2244079c09602623af157ce00cba9ae1837005b97ffe44bdb The package presents itself as a Tailwind CSS animation plugin and reproduces the legitimate tailwindcss-animate source including its original author...

6.2AI score
Exploits0References5
Patchstack
Patchstack
added 2026/07/09 3:21 p.m.9 views

WordPress Post Export Import with Media plugin <= 1.13.1 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by ? in WordPress Plugin Post Export Import with Media versions = 1.13.1...

7.2CVSS5.9AI score0.00615EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder