CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/03/26 2:59 p.m.•2 views

CVE-2026-31829

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including...

8.8CVSS7.1AI score0.00103EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 2:58 p.m.•2 views

CVE-2026-22179

OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution...

7.5CVSS6.2AI score0.00484EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 2:57 p.m.•6 views

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS5.9AI score0.00303EPSS

Exploits3References1

RedhatCVE•added 2026/03/26 2:57 p.m.•3 views

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

9.8CVSS5.8AI score0.00292EPSS

Exploits4References1

OSV•added 2026/03/26 2:15 p.m.•2 views

MAL-2026-2236 Malicious code in onboarding-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44d4a1844921cebc245e39614ba7b999c3890d048ad81429d89d9daf45038ecd The package onboarding-server was found to contain malicious code. Source: ossf-package-analysis...

OSV•added 2026/03/26 12:5 p.m.•2 views

MAL-2026-2235 Malicious code in srcsrctest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a44b46855732b5a5522c0a1ea3ef88d5977daad1bfa5c39b42e0324e52fcf6f8 The package srcsrctest was found to contain malicious code. Source: ossf-package-analysis...

OSV•added 2026/03/26 11:24 a.m.•2 views

MAL-2026-2234 Malicious code in security-install-analytics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae1479aa9ec70d315ba69eec145d02655fe633a7f253ba7b0b3d082895b1ca35 The package security-install-analytics was found to contain malicious code. Source: ossf-package-analysis...

OSSF Malicious Packages•added 2026/03/26 11:24 a.m.•4 views

Malicious code in security-install-analytics (npm)

Snyk•added 2026/03/26 8:11 a.m.•2 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the fs.realpathSync.native function. An attacker running malicious code within a restricted Node.js environment where --allow-fs-read is intentionally limited can exploit this missing check to verify file...

4.8CVSS6.3AI score0.00006EPSS

Exploits0References2

NVD•added 2026/03/26 1:16 a.m.•2 views

CVE-2026-33285

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...

7.5CVSS0.00122EPSS

Exploits1References2

Snyk•added 2026/03/26 12:57 a.m.•2 views

Malicious Package

Overview @zecho/baileys-mod is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score

Exploits0References2

OSSF Malicious Packages•added 2026/03/26 12:57 a.m.•5 views

Malicious code in @zecho/baileys-mod (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e4d4b2c49e19b5e36babb83f8095290c3bd09ad9fb4065ccf3769bb9be4c53d The package @zecho/baileys-mod was found to contain malicious code. Source: ghsa-malware...

OSSF Malicious Packages•added 2026/03/26 12:52 a.m.•3 views

Malicious code in jito-validator-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5744d7d3aef03ec852963ebeca1a6357db3aa7bc925bae6e85f173692fc12eb0 The package jito-validator-sdk was found to contain malicious code. Source: ghsa-malware...

OSV•added 2026/03/26 12:42 a.m.•4 views

MAL-2026-2226 Malicious code in node-coremesh (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c5a0cdd89bf30a4af39a8b084445dc8db5a9433149b2935e8c2ad63a3cef008 The package node-coremesh was found to contain malicious code. Source: ghsa-malware f8ed9a272c9d2d960b2ddae6ef1f7128ff576014f4d3c296ca2b6d74eaea4ceb...

Snyk•added 2026/03/26 12:42 a.m.•1 views

Malicious Package

Overview node-coremesh is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score

Exploits0References2

OSSF Malicious Packages•added 2026/03/26 12:42 a.m.•5 views

Malicious code in node-coremesh (npm)

OSV•added 2026/03/26 12:42 a.m.•5 views

MAL-2026-2222 Malicious code in chain-coremesh (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53c78d25a9b5c960f74dda3653e6f237df054e60b0234511fa4e9fe3d650a00f The package chain-coremesh was found to contain malicious code. Source: ghsa-malware 7c22f3e9c994c2b163ca8dc9cfdd501768a8ed0163ccc7c9fde8160ace616303...