CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/06/08 11:10 a.m.•10 views

Malicious code in quickwinston (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 304b4e430bff604f20121bc97398fa6ee18a25c16187d31b6553248bc54e63c7 The OpenSSF Package Analysis project identified 'quickwinston' @ 3.19.3 npm as malicious. It is considered malicious because: - The package...

5.5AI score

OSV•added 2026/06/08 9:36 a.m.•10 views

MAL-2026-5307 Malicious code in classwind-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4fa5abd0e91f5e73a3a17597ecdddbef2409d61a680fd92ea62ce3a908ffb836 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.5AI score

Exploits0References1

OSSF Malicious Packages•added 2026/06/08 9:27 a.m.•8 views

Malicious code in regexp-ts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9828b4712ac404ec6f143f9c3115eb73ccd4418bab9cb17327ae325d488954e1 regexp-ts masquerades as the pino logger description, keywords, and module.exports.pino export but is actually a remote-code-execution loader. When a...

5.6AI score

OSV•added 2026/06/08 9:0 a.m.•10 views

MAL-2026-5306 Malicious code in chai-mocks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e65359853241724a1b519599469dadfcd2b32674455db9fe5284cb7553a5ddf4 The package masquerades as a pino-style logger middleware but is a remote code loader. When the exported middleware is invoked, index.js spawns a...

6.5AI score

OSV•added 2026/06/08 6:38 a.m.•6 views

ROOT-APP-NPM-CVE-2026-41182 CVE-2026-41182 in @rootio/langsmith - Patched by Root

Root has patched CVE-2026-41182 in the @rootio/langsmith package for Root:npm. Multiple fixed versions available...

5.3CVSS5.4AI score0.00214EPSS

OSSF Malicious Packages•added 2026/06/08 2:31 a.m.•6 views

Malicious code in zer0one-dnslog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605 The package is published as a 'simple date formatting utility' but ships a postinstall payload that, on npm install, runs a curl pipeline against clo...

5.6AI score

Exploits0References10

OSV•added 2026/06/08 2:31 a.m.•7 views

MAL-2026-5366 Malicious code in zer0one-dnslog (npm)

5.6AI score

Exploits0References10

Amazon•added 2026/06/08 12:0 a.m.•9 views

Medium: perl-XML-LibXML

Issue Overview: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjace...

Amazon•added 2026/06/08 12:0 a.m.•8 views

Medium: perl-XML-LibXML

Positive Technologies•added 2026/06/08 12:0 a.m.•10 views

PT-2026-47447

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3...

8.1CVSS5.4AI score0.00374EPSS

Exploits0References4

CNNVD•added 2026/06/08 12:0 a.m.•7 views

Headplane 路径遍历漏洞

Headplane is a web management interface for Headscale, developed by Aarnav Tale. Versions of Headplane prior to 0.6.3 and 0.7.0-beta.3 contained a path traversal vulnerability. This vulnerability stemmed from path traversal and authorization bypass issues in the Headscale API client during node a...

8.1CVSS5.3AI score0.00374EPSS

CNNVD•added 2026/06/08 12:0 a.m.•6 views

Flowise 代码注入漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained a code injection vulnerability. This vulnerability stemmed from the lack of routing-level authorization in the POST /api/v1/node-custom-function...

9.9CVSS5.8AI score0.0082EPSS

Exploits1References2

Positive Technologies•added 2026/06/08 12:0 a.m.•10 views

PT-2026-47599

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.5.0 Description In the macOS desktop application, the ELECTRON RUN AS NODE fuse is not disabled. This allows an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app...

4.8CVSS5.8AI score0.00126EPSS

Exploits0References5

Positive Technologies•added 2026/06/08 12:0 a.m.•10 views

PT-2026-47558

Summary A electron run as node vulnerability was identified in actual macOS application, version 25.x Electron 39.2.7. Vulnerability Type: Electron Run As Node Description ELECTRON RUN AS NODE fuse enabled Electron 39.2.7 — app can be converted to Node.js REPL for arbitrary code execution Impact ...

4.8CVSS6AI score

Exploits0References3

Tenable Nessus•added 2026/06/08 12:0 a.m.•5 views

Amazon Linux 2023 : perl-XML-LibXML, perl-XML-LibXML-tests (ALAS2023-2026-1795)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1795 advisory. XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8...

Tenable Nessus•added 2026/06/08 12:0 a.m.•7 views

Exploits0References4

Amazon Linux 2 : perl-XML-LibXML, --advisory ALAS2-2026-3342 (ALAS-2026-3342)

The version of perl-XML-LibXML installed on the remote host is prior to 2.0018-5. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3342 advisory. XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncat...