CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 1 hour ago•2 views

Malicious code in hello244a (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3d7e9578338cca22e41d1ac1345136162b5441eb57090bb89fbc73bd37976c71 The OpenSSF Package Analysis project identified 'hello244a' @ 1.0.4 npm as malicious. It is considered malicious because: - The package...

Cvelist•added 1 hour ago•3 views

Exploits0

CVE-2026-42329 Iris has an Open Redirect issue

4.7CVSS

ATTACKERKB•added 1 hour ago•1 views

CVE-2026-42329

4.7CVSS5.8AI score

Exploits0References2Affected Software1

NVD•added 1 hour ago•3 views

CVE-2026-41249

CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow .github/workflows/static.yml uses the pullrequesttarget trigger but dangerously checks out the unverified code from the pull request head ref: $ github.event.pullrequest.head.re...

8.2CVSS

Exploits0References3

OSSF Malicious Packages•added 3 hours ago•3 views

Malicious code in supabase (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ffc0b5a7cfe173533053ac607e28d5e000c963fc1fd706bd9eedf57902e11c1a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 3 hours ago•3 views

Malicious code in @jagreehal/workflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 84103acc1e6580ad54c7a89f1ce423e9ac0a0ca4b943879c6f80e9e46fb23fce Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Vulnrichment•added 4 hours ago•4 views

CVE-2026-10796 nvm executes commands from a malicious Node.js mirror's version strings

nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...

7.5CVSS6.1AI score

Cvelist•added 4 hours ago•5 views

CVE-2026-10796 nvm executes commands from a malicious Node.js mirror's version strings

7.5CVSS

OSSF Malicious Packages•added 5 hours ago•5 views

Malicious code in sf-silly-goose-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d1b2d16ce881d1e9b356ed424f8144ce9324d09010efa8761ad13ac8a46e7b60 Package uses trufflehog to detect secrets and exfiltrates them to a hardcoded location --- Category: MALICIOUS - The campaign has clearly malicious intent, lik...

Cvelist•added 7 hours ago•3 views

CVE-2026-43986 Tautulli vulnerable to unauthenticated SSRF in /image/<hash> via attacker-seeded image hash replay

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public /image/ route that resolves attacker-controlled entries from imagehashlookup and replays them through the same server-side image fetch logic used by authenticated image proxying...

9.9CVSS

Exploits0References2

EUVD•added 7 hours ago•3 views

EUVD-2026-34286

9.9CVSS5.9AI score

Exploits0References2

ATTACKERKB•added 8 hours ago•2 views

CVE-2019-25739

GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the createproposal endpoint that execute when administrators or other...

6.4CVSS5.7AI score

Cvelist•added 8 hours ago•4 views

CVE-2019-25737 Live Chat Unlimited 2.8.3 Stored Cross-Site Scripting

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

7.2CVSS

OSV•added 11 hours ago•2 views

MAL-2026-5183 Malicious code in hpe-glcp-automation-lib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 53256c57763ad4be286cf74bf0162b67413edc085338e3778ac9bc2afa1b4b93 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

5.9AI score

OSSF Malicious Packages•added 11 hours ago•3 views

Malicious code in hpe-glcp-automation-lib (PyPI)

5.9AI score

NVD•added 12 hours ago•4 views

CVE-2026-50211

Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers...

9.8CVSS

ATTACKERKB•added 14 hours ago•5 views

CVE-2026-50211

Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers...

8.8CVSS5.8AI score

Exploits0References2

Cvelist•added 14 hours ago•7 views

CVE-2026-50211 Exposed Factory Testing App Boundaries

Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers...

8.8CVSS

EUVD•added 14 hours ago•3 views

EUVD-2026-34223

Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers...

9.8CVSS5.8AI score