Lucene search
K

58 matches found

ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-4275

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...

8.8CVSS5.9AI score0.00187EPSS
Exploits0References9
CVE
CVE
added 6 days ago8 views

CVE-2026-59948

CVE-2026-59948 affects Composer (PHP dependency manager). A malicious package from an untrusted repo (not Packagist.org/Private Packagist) with an invalid name could cause install/update to write attacker-controlled files outside the vendor directory and project. Root cause: failure to validate t...

7CVSS6AI score0.00132EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/07/06 12:0 a.m.6 views

pnpm < 10.34.0 / 11.x < 11.4.0 Multiple Vulnerabilities

The version of pnpm installed on the remote host is prior to 10.34.0, or 11.x prior to 11.4.0. It is, therefore, affected by multiple vulnerabilities: - pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses tha...

8.8CVSS6.2AI score0.00326EPSS
Exploits2References4
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:52 p.m.6 views

CVE-2026-50015

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline @pnpm/patch-package performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or...

7.3CVSS6.1AI score0.0027EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 8:21 a.m.10 views

CVE-2026-11332

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...

7.8CVSS6.4AI score0.00156EPSS
Exploits0References4
NVD
NVD
added 2026/05/26 9:16 p.m.18 views

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS0.0037EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.12 views

Kubevirt 后置链接漏洞

Kubevirt is an open-source virtual machine manager developed by KubeVirt. Kubevirt has a post-installation vulnerability, which stems from improper verification of symbolic links. This vulnerability may allow authenticated OpenShift users to manipulate the console socket in a single namespace by...

9.9CVSS5.8AI score0.00596EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/05/16 10:13 p.m.98 views

bun-archive-traversal-poc

Bun Archive Extraction Traversal PoCs Target: oven-sh/bun...

5.9AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/15 4:0 p.m.10 views

CVE-2026-44641 Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

7.1CVSS5.9AI score0.00351EPSS
Exploits0References1
CVE
CVE
added 2026/05/15 4:0 p.m.21 views

CVE-2026-44641

CVE-2026-44641 affects Microsoft APM. Before version 0.8.12, the plugin-loading flow copies components listed in plugin.json into the .apm/ directory and does not validate that manifest paths (agents, skills, commands, hooks) stay inside the plugin root. An attacker can supply absolute or ../ tra...

7.1CVSS5.9AI score0.00351EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 4:0 p.m.40 views

CVE-2026-44641 Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

7.1CVSS0.00351EPSS
Exploits0References1
OSV
OSV
added 2026/05/07 9:41 p.m.6 views

GHSA-XHRW-5QXX-JPWR Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install

Summary Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A...

7.1CVSS5.9AI score0.00351EPSS
Exploits0References3
OSV
OSV
added 2026/05/06 2:45 p.m.5 views

BIT-JAVA-MIN-2025-50063

Vulnerability in Oracle Java SE component: Install. The supported version that is affected is Oracle Java SE: 8u451. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE executes to compromise Oracle Java SE. Successful attacks...

7.3CVSS7.1AI score0.00245EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.12 views

IOBit IObit Advanced SystemCare 后置链接漏洞

IOBit Advanced SystemCare is a system management utility developed by IOBit Corporation. This program is primarily used for scanning, repairing, and optimizing systems. Version 19 of IOBit Advanced SystemCare contained a post-installation vulnerability, which was caused by a issue with the Servic...

7.3CVSS7.1AI score0.00131EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 7:16 p.m.8 views

EUVD-2026-20489

CI4MS Vulnerable to .env CRLF Injection via Unvalidated host Parameter in Install Controller...

8.1CVSS5.9AI score0.00516EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/07 1:44 a.m.7 views

CVE-2026-28452

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource...

6.7CVSS5.8AI score0.00319EPSS
Exploits0References1
OSV
OSV
added 2026/01/28 12:15 a.m.6 views

CVE-2026-24840 Dokploy uses hardcoded credentials in installation script, which could result in database access

Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, a hardcoded credential in the provided installation script located at https://dokploy.com/install.sh, line 154 uses a hardcoded password when creating the database container. This means that nearly all Dokpl...

8CVSS5.9AI score0.00334EPSS
Exploits1References4
OSV
OSV
added 2025/10/09 9:15 p.m.4 views

CVE-2025-35052

Newforma Info Exchange NIX uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shar...

6.3CVSS5.8AI score0.00347EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2018-3363

Malware in sbrugna...

9.8CVSS9.2AI score0.03798EPSS
Exploits0References4
Talos Blog
Talos Blog
added 2025/08/20 1:0 p.m.6 views

Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

Static Tundra is a Russian state-sponsored cyber espionage group linked to the FSB's Center 16 unit that has been operating for over a decade, specializing in compromising network devices for long-term intelligence gathering operations. The group actively exploits a seven-year-old vulnerability...

10CVSS10AI score0.9951EPSS
Exploits2
Rows per page
Query Builder