CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/06/09 11:47 p.m.•17 views

CVE-2026-46543

CVE-2026-46543 (Nimiq blockchain) affects the Rust implementation

5.3CVSS5.5AI score0.00291EPSS

Cvelist•added 2026/06/09 11:47 p.m.•37 views

CVE-2026-46543 nimiq-blockchain: Genesis batch set request

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls getepochchunks which iterates...

5.3CVSS0.00291EPSS

Cvelist•added 2026/06/09 11:45 p.m.•30 views

CVE-2026-46541 Nimiq network-libp2p: DHT query poisoning via first-record verification failure

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handledhtget, the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails from a malicious DHT...

7.5CVSS0.00346EPSS

RedhatCVE•added 2026/06/09 8:59 p.m.•14 views

CVE-2026-46442

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When...

9.9CVSS6.5AI score0.0082EPSS

Exploits1References1

OSSF Malicious Packages•added 2026/06/09 8:34 p.m.•16 views

Malicious code in mcp-server-git (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...

OSV•added 2026/06/09 8:34 p.m.•8 views

MAL-2026-5478 Malicious code in mcp-server-git (npm)

OSSF Malicious Packages•added 2026/06/09 8:34 p.m.•8 views

Malicious code in mcp-server-postgres (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b86cc4cf49b5d6cda37126f6a0c7c9f9fec648eb4d4743b6f39423613d3122 Package squats the unscoped name mcp-server-postgres impersonating the official scoped MCP postgres server. package.json declares "postinstall": "nod...

5.3AI score

OSSF Malicious Packages•added 2026/06/09 8:34 p.m.•9 views

Malicious code in mcp-server-redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c94a122c1dd231888bc72b52cbef5dbdd793d2680f7e7e36385bd06e07dc20fd Package claims the unscoped name mcp-server-redis to intercept npx mcp-server-redis invocations intended for the legitimate MCP Redis server ecosyste...

5.3AI score

OSV•added 2026/06/09 8:34 p.m.•10 views

MAL-2026-5484 Malicious code in mcp-server-sequential-thinking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 211672c16839ae6cd4e9f10810163da536480f07938b2d51c50ecbbb9f5e90ed Unscoped package impersonating the official @modelcontextprotocol/server-sequential-thinking MCP server. package.json declares postinstall: 'node...

OSV•added 2026/06/09 8:34 p.m.•8 views

MAL-2026-5477 Malicious code in mcp-server-figma (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20 Package squats the unscoped name mcp-server-figma, which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the...

OSV•added 2026/06/09 8:34 p.m.•6 views

MAL-2026-5480 Malicious code in mcp-server-notion (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0423928197ec83ac273fa4a1b66d9e75398b956e7d5027014ff6326c552a46c2 Package occupies the unscoped name mcp-server-notion to catch misrouted installs of the scoped MCP Notion server. package.json declares "postinstall"...

OSV•added 2026/06/09 8:32 p.m.•9 views

MAL-2026-5468 Malicious code in getd-pantallas-cliente (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89a26267435645776aa984be114d5c657e63fa9937ff044e5ddd24943b28ea6e On npm install, postinstall.js collects os.hostname, os.userInfo.username, os.platform, process.cwd, and CI/build environment variables and sends the...

OSSF Malicious Packages•added 2026/06/09 8:29 p.m.•11 views

Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...

OSV•added 2026/06/09 8:29 p.m.•10 views

MAL-2026-5473 Malicious code in gethandler-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b6925d4c07df297f8cb573df4d85a396794d8793179e7a97f2cfde3aadfcfbc On npm install, postinstall.js unconditionally sends an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying the installer...

OSSF Malicious Packages•added 2026/06/09 8:29 p.m.•7 views

Malicious code in getd-handler-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5 On npm install, postinstall.js collects the installer's hostname, username, platform, current working directory, and CI-related environment variables...

OSV•added 2026/06/09 8:18 p.m.•9 views

MAL-2026-5464 Malicious code in db-xorma (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2 db-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance the documented entry point, the...

6.2AI score

Exploits0References5

OSSF Malicious Packages•added 2026/06/09 8:18 p.m.•6 views

Malicious code in db-dx-connector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0a6cd3a84c38e801823eba4ccf0d4ff2a28f5955309bfb300f7f0f640b1a69b db-dx-connector is a name-transposition of the legitimate divblox package dx-db-connector the package.json even points repository.url at...

5.9AI score

OSV•added 2026/06/09 6:3 p.m.•10 views

MAL-2026-5461 Malicious code in fhirproxy-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 405cf847121f4bfed32bc5679a40b64c1338b142af75823ef9583944a7ae7b5a On npm install via the prepare lifecycle hook and many other lifecycle aliases and on require, index.js performs broad reconnaissance and exfiltratio...

OSSF Malicious Packages•added 2026/06/09 5:44 p.m.•15 views

Malicious code in grateful-checkout (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2a9600ad3ee3fddd9f06425260c94edf660263800080787155a63d3e5212d12 On npm install, the postinstall hook in src/canary.js performs a DNS lookup and an HTTPS GET to a serveo tunnel host...