Lucene search
K

9623 matches found

Tenable Nessus
Tenable Nessus
added 2 days ago2 views

pnpm < 10.34.0 / 11.x < 11.4.0 Multiple Vulnerabilities

The version of pnpm installed on the remote host is prior to 10.34.0, or 11.x prior to 11.4.0. It is, therefore, affected by multiple vulnerabilities: - pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses tha...

8.8CVSS6.2AI score0.00326EPSS
Exploits2References4
OSV
OSV
added 4 days ago9 views

MAL-2026-6757 Malicious code in vps-maintenance-paperclip-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0de46c3e339f828f4c86612ee8bf74a29edc636511e2eaa765d8a75699849da3 package.json declares a postinstall lifecycle script that runs an inline node -e payload opening a TCP socket to 185.112.147.174:7007 and piping it...

6.1AI score
Exploits0References2
OSV
OSV
added 5 days ago8 views

MAL-2026-6748 Malicious code in haproxy-config-client (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f70d07844bca4fadfcedb195f5768c8a95318af4d62a4bcec94556b99b72c4ad During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is ...

6.2AI score
Exploits0References2
Nuclei
Nuclei
added 5 days ago183 views

DotNetNuke 07.04.00 - Administration Authentication Bypass

The installation wizard in DotNetNuke DNN before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. id: CVE-2015-2794 info: name: DotNetNuke 07.04.00 - Administration Authentication Bypass author: 0xr2r severity...

9.8CVSS7.2AI score0.74552EPSS
Exploits4References5
SUSE CVE
SUSE CVE
added 5 days ago7 views

SUSE CVE-2026-20216

A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper handling of temporary resources during file scanning. An attacker could exploit this vulnerabilit...

7.5CVSS7.1AI score0.00389EPSS
Exploits0References3
OSV
OSV
added 6 days ago10 views

GHSA-G6G7-PVMX-M74P 9router: Missing Authorization and OS Command Injection

Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router npm package — current master v0.4.39. Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawn...

9.2CVSS5.9AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 6 days ago16 views

9router: Missing Authorization and OS Command Injection

Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router npm package — current master v0.4.39. Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawn...

9.8CVSS5.9AI score
Exploits0References3Affected Software1
OSV
OSV
added 6 days ago3 views

PYSEC-2026-645 instack-undercloud vulnerable to symlink attack on tmp files

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploi...

6.4CVSS6.6AI score0.00347EPSS
Exploits0References14
GitLab Advisory Database
GitLab Advisory Database
added 6 days ago13 views

9router: Missing Authorization and OS Command Injection

POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches...

9.8CVSS5.8AI score
Exploits0References4Affected Software1
NVD
NVD
added 2026/06/30 11:17 p.m.9 views

CVE-2026-56700

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget...

9.8CVSS0.01683EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.27 views

CVE-2026-56700 Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget...

9.8CVSS0.01683EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 10:8 p.m.15 views

CVE-2026-56700

Grav CMS (before 2.0.0-beta.2) contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session deserialize untrusted data, enabling PHP object injection and, via a gadget chain, arbitrary code execution when ...

9.8CVSS6.4AI score0.01683EPSS
Exploits0References2
OSV
OSV
added 2026/06/30 12:0 a.m.3 views

MAL-2026-6690 Malicious code in log-taker1 (npm)

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer 2800 lines directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults MetaMask, Phantom, Solflare,...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-54048

Name of the Vulnerable Software and Affected Versions Grav CMS versions prior to 2.0.0-beta.2 Description Multiple issues allow for code execution. Three unsafe unserialize calls within SchedulerJobQueue, FrameworkCacheAdapterFileCache, and Session deserialize untrusted data without restricting...

9.8CVSS6.5AI score0.01683EPSS
Exploits0References4
CVE
CVE
added 2026/06/29 8:18 p.m.22 views

CVE-2026-34597

CVE-2026-34597 affects Coolify prior to 4.0.0-beta.470. The vulnerability lies in how user-supplied build parameters for the Nixpacks build pack are handled: the install_command provided by a user is directly concatenated into a shell command string executed on the deployment host during the buil...

8.8CVSS6.2AI score0.00526EPSS
Exploits0References1
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-347 Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism

Guardrails AI thru 0.6.7 contains a code injection vulnerability CWE-94 in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the postinstall...

9.8CVSS6.3AI score0.00635EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 8:52 a.m.8 views

MAL-2026-6588 Malicious code in endpointmap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa2ddbcbdd90508af14415a021644c1ab8a57e432b526425e4c5128b23f897bb endpointmap advertises itself as a REST endpoint registry but exhibits a two-package smuggle pattern. lib/registry.js exports two non-printable byte...

5.8AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/29 8:52 a.m.9 views

Malicious code in endpointmap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa2ddbcbdd90508af14415a021644c1ab8a57e432b526425e4c5128b23f897bb endpointmap advertises itself as a REST endpoint registry but exhibits a two-package smuggle pattern. lib/registry.js exports two non-printable byte...

5.8AI score
Exploits0References3
NVD
NVD
added 2026/06/29 4:16 a.m.9 views

CVE-2026-13529

A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack...

6.3CVSS0.00239EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 3:0 a.m.8 views

EUVD-2026-40026

A vulnerability was determined in YzmCMS up to 7.5. This affects an unknown function of the file /application/install/index.php. Executing a manipulation of the argument siteurl can lead to sql injection. The attack can be executed remotely. A high complexity level is associated with this attack...

6.3CVSS5.8AI score0.00239EPSS
Exploits0References5
Rows per page
Query Builder