CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Metasploit•added 3 days ago•59 views

Gogs Git Rebase Argument Injection RCE

This module exploits an argument injection vulnerability in the pull request merge flow of Gogs is parsed by Git as the --exec flag rather than a positional argument, causing sh -c to run after each replayed commit during the rebase. Two exploitation methods are supported: - ownrepo: The attacker...

5.9AI score

Packet Storm•added 3 days ago•31 views

📄 Gogs Git Rebase Argument Injection / Remote Code Execution

This Metasploit module exploits an argument injection vulnerability in the pull request merge flow of Gogs versions less than or equal to 0.14.2 and less than or equal to 0.15.0+dev. frozenstringliteral: true This module requires Metasploit: https://metasploit.com/download Current source:...

OSV•added 5 days ago•5 views

ROOT-APP-NPM-CVE-2020-28499 CVE-2020-28499 in @rootio/merge - Patched by Root

Root has patched CVE-2020-28499 in the @rootio/merge package for Root:npm. Multiple fixed versions available...

9.8CVSS7.3AI score0.00541EPSS

Snyk•added 2026/05/29 4:7 p.m.•5 views

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution in the request configuration merge process. An attacker can access sensitive request configuration data, including authentication...

8.3CVSS6.3AI score

Snyk•added 2026/05/29 3:54 p.m.•4 views

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via polluted Object.prototype properties in the merge process. An attacker can inject arbitrary HTTP headers into outbound requests or...

6.3CVSS6.4AI score

Snyk•added 2026/05/29 3:54 p.m.•4 views

Prototype Pollution

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via polluted Object.prototype properties in the merge process. An attacker can inject arbitrary HTTP headers into outbound requests or cause synchrono...

6.3CVSS6.5AI score

Github Security Blog•added 2026/05/29 3:54 p.m.•10 views

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

Summary axios 1.15.2 exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process e.g. lodash .merge / CVE-2018-16487, axios silently picks up the polluted values: 1. Header injection - lib/utils.js line 406 builds merge's...

6.8CVSS5.8AI score0.00468EPSS

Exploits2References3Affected Software1

Github Security Blog•added 2026/05/29 3:51 p.m.•10 views

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

Exploits0References3Affected Software1

OSV•added 2026/05/29 3:51 p.m.•7 views

GHSA-654M-C8P4-X5FP Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

3.7CVSS5.8AI score

Tenable Nessus•added 2026/05/29 12:0 a.m.•11 views

Linux Distros Unpatched Vulnerability : CVE-2026-46115

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - block: add pgmap check to biovecphysmergeable biovecphysmergeable is used by the request merge, DMA mapping, and integrity merge paths to decide if two physical...

9.8CVSS5.8AI score0.0006EPSS

Tenable Nessus•added 2026/05/29 12:0 a.m.•8 views

Linux Distros Unpatched Vulnerability : CVE-2026-42563

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dulwich Vulnerable to Command Injection via Merge Driver Path CVE-2026-42563 Note that Nessus relies on the presence of the package as reported by the vendor...

Github Security Blog•added 2026/05/28 10:29 p.m.•9 views

Dulwich Vulnerable to Command Injection via Merge Driver Path

Summary Dulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the %P placeholder and executes it with subprocess.run..., shell=True. An attacker who can cause a victim to merge an untrusted...

6.3AI score

Exploits0References3Affected Software1

Debian CVE•added 2026/05/28 10:29 p.m.•9 views

CVE-2026-42563

dulwich: Command Injection via Merge Driver Path...

OSV•added 2026/05/28 10:29 p.m.•3 views

GHSA-9277-MP7X-85JF Dulwich Vulnerable to Command Injection via Merge Driver Path

7.7CVSS6.3AI score

Snyk•added 2026/05/28 10:29 p.m.•6 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the ProcessMergeDriver command. An attacker can execute arbitrary commands by crafting malicious file paths that are substituted into the merge driver command and executed with shell privileges when a victim merges...

7.5CVSS6AI score