Lucene search
K

29080 matches found

NVD
NVD
added 1 hour ago2 views

CVE-2026-12478

The fix for CVE-2026-0716 commit 6ff7ef0, libsoup 3.6.6 placed the integer overflow guard inside the if masked block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64MAX to trigger an OOB read in...

4.8CVSS
Exploits0References4
Cvelist
Cvelist
added 2 hours ago6 views

CVE-2026-12478 Libsoup: incomplete fix for cve-2026-0716: out-of-bounds read in libsoup websocket frame processing (unmasked path)

The fix for CVE-2026-0716 commit 6ff7ef0, libsoup 3.6.6 placed the integer overflow guard inside the if masked block, leaving unmasked server-to-client frames unprotected. A malicious WebSocket server can send a crafted unmasked frame with a payload length near UINT64MAX to trigger an OOB read in...

4.8CVSS
Exploits0References4
CVE
CVE
added 2 hours ago5 views

CVE-2026-12478

The issue affects libsoup’s WebSocket frame processing. An integer overflow guard was placed inside the if (masked) block, leaving unmasked server-to-client frames unprotected. A crafted unmasked frame with a large payload length (near UINT64_MAX) can trigger an out-of-bounds read in a libsoup-ba...

4.8CVSS6.1AI score
Exploits0References4
OSV
OSV
added yesterday8 views

MAL-2026-10452 Malicious code in markdown-editable-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6b15669732f3eaec42e12c5f8d41a8f74d595fc04f709804de9768cb1719a94 The package's package.json declares a preinstall hook node index.d.js that runs automatically on npm install. The script in index.d.js base64-decodes...

6.2AI score
Exploits0References4
OSV
OSV
added yesterday3 views

MAL-2026-10447 Malicious code in remarkable-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 464cab930bcf948abf49517f78a3ee1abb8b89c8f9c90f199bd3446c902d8e1e The package's preinstall script runs index.d.js, which reconstructs the identifier 'eval' from a character-code array 101,118,97,108 and base64-decod...

6.2AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday6 views

Malicious code in markable-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd358271f202636f12507f09da4e8f00c900ba46c9dca25a5a0526d35b75bf1d [email protected] declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an...

6.5AI score
Exploits0References10
NVD
NVD
added yesterday4 views

CVE-2026-6850

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload tha...

6.5CVSS0.00235EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday94 views

WordPress Simple File List <=4.2.2 - Remote Code Execution

An unrestricted file upload vulnerability in the WordPress Simple File List plugin before version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint ee-upload-engine.php restricts file uploads based on extension, but lacks proper validatio...

6.3AI score
Exploits9References3
OSV
OSV
added yesterday4 views

MAL-2026-10232 Malicious code in salesforce-vscode-slds (npm)

The salesforce-vscode-slds package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in slds-lsp-client (npm)

The slds-lsp-client package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Salesforce SLD...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in salesforce-vscode-slds (npm)

The salesforce-vscode-slds package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago13 views

Malicious code in polymarket-kelly-math-stake (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f2cf5ba9cd75b1a773e3a04e6eb45778894e04fd1d55b2e8ad03ae97deb41d16 [email protected] runs a postinstall script scripts/install-check.cjs that fetches a JSON config from...

6.3AI score
Exploits0References2
NVD
NVD
added 2 days ago9 views

CVE-2026-15499

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/crontools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload"note" results in improper authorization...

6.5CVSS0.00201EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-15499 AstrBotDevs AstrBot Scheduled Task cron_tools.py FutureTaskTool.call improper authorization

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/crontools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload"note" results in improper authorization...

6.5CVSS0.00201EPSS
Exploits0References5
CVE
CVE
added 2 days ago7 views

CVE-2026-15499

AstrBotDevs AstrBot (versions up to 4.25.2) contains a vulnerability in the function FutureTaskTool.call (astrbot/core/tools/cron_tools.py). Manipulating payload["note"] leads to improper authorization, enabling remote exploitation. Public exploit availability is reported. No remediation details ...

6.5CVSS6.3AI score0.00201EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-43221

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/crontools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload"note" results in improper authorization...

6.5CVSS6.3AI score0.00201EPSS
Exploits0References5
The Hacker News
The Hacker News
added 3 days ago31 views

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagg...

6.3AI score
Exploits0
RedhatCVE
RedhatCVE
added 3 days ago8 views

CVE-2026-52747

A flaw was found in ModSecurity, an open-source web application firewall WAF. The multipart/form-data request body parser in libmodsecurity incorrectly handles embedded line breaks in non-file form-field values. This discrepancy between ModSecurity and backend applications, which preserve line...

8.6CVSS6.1AI score0.0046EPSS
Exploits0References6
NVD
NVD
added 3 days ago5 views

CVE-2026-14262

The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload only...

8.8CVSS0.00393EPSS
Exploits0References6
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43145

The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload only...

8.8CVSS6.1AI score0.00393EPSS
Exploits0References6
Rows per page
Query Builder