Lucene search
+L

99 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in kuaishou (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608 The package's prepare lifecycle script, which runs automatically on npm install, collects host, user, and platform identifiers along with the full...

6.1AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/09 4:34 p.m.10 views

Malicious code in nonenull1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — !node...

6.1AI score
Exploits0References9
OSV
OSV
added 2026/07/08 6:51 p.m.3 views

MAL-2026-7024 Malicious code in none123s (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c28e7ef260830adb9561488c487960b12e00bd6939daf8ed8e3a239ec9530699 package.json declares a prepare lifecycle script node index.js || true that auto-executes on npm install. index.js reads canonical installer-secret...

6.1AI score
Exploits0References18
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/09 3:57 p.m.13 views

Malicious code in hey-base32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...

5.6AI score
Exploits0References6
OSV
OSV
added 2026/06/09 3:57 p.m.14 views

MAL-2026-5398 Malicious code in hey-base32 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f5bbdc771de9f99f6454831cc2cd8c22f0af88dfeb3ec66a6c4d3b174c860517 The package advertises itself as a zero-dependency base32 encoder/decoder, but its CLI entry point bin/hey-base32.js starts a remote-access tunnel on...

5.6AI score
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.10 views

CVE-2025-57282

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

8.8CVSS5.4AI score0.00981EPSS
Exploits0References1
OSV
OSV
added 2026/05/18 6:31 p.m.7 views

GHSA-QR28-P3WR-MXQ3 ngrok is Vulnerable to Command Injection

ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/05/18 6:31 p.m.13 views

@addtodoist/twitter-autohook (=2.2.0), @alessiodf/core-chameleon (=0.0.1) +156 more potentially affected by CVE-2025-57282 via ngrok (=4.3.3)

ngrok NPM version =4.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on ngrok and may be impacted: - @addtodoist/twitter-autohook =2.2.0 - @alessiodf/core-chameleon =0.0.1 - @archer-edu/qa-test-cli =0.1.0, =0.1.1, =3.8.2, =3.0.0, =3.0.0-alpha.9, =1.0....

8.8CVSS5.4AI score0.00981EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 6:31 p.m.7 views

5htp-airtable (>=0.0.1 <=0.1.2-3), @a-cube-io/ereceipts-js-sdk (=1.1.0) +147 more potentially affected by CVE-2025-57282 via ngrok (=5.0.0-beta.2)

ngrok NPM version =5.0.0-beta.2 is affected by a known vulnerability. The following packages have a transitive dependency on ngrok and may be impacted: - 5htp-airtable =0.0.1, =1.0.0, =5.0.0, =1.0.0, =3.1.6, =1.4.4, =1.0.0, =1.3.2, =1.0.31, =1.0.0, =1.0.26, =1.0.2, =1.1.0 and more Source cves:...

8.8CVSS5.7AI score0.00981EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/18 6:31 p.m.9 views

ngrok is Vulnerable to Command Injection

ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/18 4:16 p.m.16 views

CVE-2025-57282

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

8.8CVSS0.00981EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.16 views

PT-2026-41678

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

5.8AI score0.00981EPSS
Exploits0References3
CVE
CVE
added 2026/05/18 12:0 a.m.29 views

CVE-2025-57282

CVE-2025-57282 affects ngrok v4.3.3 and 5.0.0-beta.2 and is described as vulnerable to Command Injection. The connected documents confirm the affected software and the vulnerability class but do not provide exploitation details, root cause specifics, or remediation steps beyond what is stated. No...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/18 12:0 a.m.14 views

EUVD-2025-209888

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.11 views

ngrok 命令注入漏洞

Ngrok is a security internal network penetration and application access platform developed by the US company Ngrok. Versions 4.3.3 and 5.0.0-beta.2 of Ngrok contain command injection vulnerabilities, which are vulnerable to command injection attacks...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/18 12:0 a.m.43 views

CVE-2025-57282

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

0.00981EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/18 12:0 a.m.8 views

CVE-2025-57282

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

5.8AI score0.00981EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/18 12:0 a.m.8 views

CVE-2025-57282

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References3
OSV
OSV
added 2026/05/08 4:32 p.m.5 views

GHSA-52CQ-7V8R-62C6 gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense

Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...

8.3CVSS5.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/08 4:32 p.m.11 views

gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense

Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...

5.9AI score
Exploits0References4Affected Software1
Rows per page
Query Builder