CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•12 views

JS Help Desk <= 2.8.1 - SQL Injection

The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...

9.8CVSS7.3AI score0.02041EPSS

OSV•added yesterday•2 views

UBUNTU-CVE-2026-53550

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a craf...

5.3CVSS5.8AI score0.00251EPSS

NVD•added 2 days ago•6 views

CVE-2026-53550

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block...

5.3CVSS0.00251EPSS

The Hacker News•added 2 days ago•14 views

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidenc...

OSV•added 2 days ago•3 views

Exploits0

MAL-2026-6313 Malicious code in @zynkit/jwtbytes (npm)

@zynkit/jwtbytes malicious version 0.5.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

6.5AI score

Exploits0References7

Nuclei•added 2 days ago•10 views

Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

9.1CVSS7.5AI score0.03911EPSS

Exploits3References5

NVD•added 5 days ago•6 views

CVE-2026-49293

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written parseBigInt loop that multiplies a BigInt accumulator by the radix once per input digit. Each iteration...

7.5CVSS0.00339EPSS

Exploits0References3

Cvelist•added 5 days ago•16 views

CVE-2026-49293 CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals

7.5CVSS0.00339EPSS

Exploits0References3

OSSF Malicious Packages•added 5 days ago•9 views

Malicious code in new-mjs-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...

OSSF Malicious Packages•added 5 days ago•9 views

Malicious code in new-ecro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7492a140547cea0957bc705d365e19806091462a249c3d5c90b6bfe91e8431c7 Package 'new-ecro' impersonates the legitimate 'big.js' library: it copies big.js's README, source, version banner 'big.js v7.0.1', author email, and...

OSV•added 5 days ago•5 views

Exploits0References4

MAL-2026-6197 Malicious code in new-ecro (npm)

Tenable Nessus•added 5 days ago•5 views

Exploits0References4

Fedora 45 : nginx / nginx-mod-brotli / nginx-mod-fancyindex / etc (2026-e212182e6e)

The remote Fedora 45 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-e212182e6e advisory. nginx-mod-brotli: - Rebuild for 1.30.3 nginx-mod-fancyindex: - Rebuild for 1.30.3 nginx-mod-modsecurity: - Rebuild for 1.30.3 nginx-mod-headers-more...

9.2CVSS6.2AI score0.02391EPSS

Exploits3References4

OSV•added 6 days ago•3 views

ALPINE-CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6.1AI score0.00397EPSS

The Hacker News•added 2026/06/17 7:38 a.m.•22 views

145 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 145 npm packages associated with the Mastra namespace "@mastra/", a popular open-source JavaScript and TypeScript framework for building artificial intelligence AI applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from...

6AI score

Exploits0

OSSF Malicious Packages•added 2026/06/17 4:55 a.m.•5 views

Malicious code in @mastra/client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 22551bc03157cad1fefb8af44f3b14c9fe9e892c083eb904e512007015e72f9f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.4AI score

OSV•added 2026/06/17 4:55 a.m.•5 views

MAL-2026-6007 Malicious code in @mastra/client-js (npm)

5.4AI score

OSV•added 2026/06/17 4:22 a.m.•3 views

MAL-2026-5988 Malicious code in params-valid-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate request package bugs URL...

5.4AI score