CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 4 days ago•3 views

MAL-2026-5175 Malicious code in webpack-json (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware abd3559fc62e362d5e4d5068126317096f7e2e483d97bba9f59e192a9d49a363 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 6 days ago•11 views

Malicious code in @redhat-cloud-services/rule-components (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

6AI score

Exploits0References2

OSSF Malicious Packages•added 2026/05/29 10:9 p.m.•13 views

Malicious code in customerdigital-service-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d58926a994bd05ac4db3c984f96186b2d52da1235a3f56f34843c01dd2246408 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

ATTACKERKB•added 2026/05/29 12:34 p.m.•9 views

CVE-2026-45551

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any userid via index.php?r=core/saveSetting. A separate client-side sink in the email module...

5.1CVSS5.9AI score0.00048EPSS

Exploits0References2Affected Software1

OSSF Malicious Packages•added 2026/05/28 1:39 p.m.•6 views

Malicious code in @service-suppliers/set_suppliers_loading_stop (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 52d21512cf72b6b9822978fa95b217f0412f0d8ec55e5667addf4a486ad0965b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/26 12:27 p.m.•8 views

Malicious code in web3-prices (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ee650bfe594eb17193a4760fd6fc279eb10670ae045500913ea673951427b47e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/25 8:48 a.m.•7 views

Malicious code in unique-string-64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c13681b6b78ec7996b99f0b0404fe78f1deb2235a379314856002f8f3ec02501 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/25 8:11 a.m.•9 views

Malicious code in nba-blocker-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3f1fe232a9f7f60759e2b252db2948228245fa7ee3881d1fb5e3954a2ca3bcf1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/25 7:12 a.m.•7 views

Malicious code in flow-parser-oxidized (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 656e2f1d3b8c65b9726bb52918453404799c461b0db5ae89061e6b740aa4862d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/19 12:0 a.m.•5 views

Malicious code in @antv/l7 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

ATTACKERKB•added 2026/05/17 10:45 a.m.•14 views

Exploits0References5

CVE-2026-8750

A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. Th...

6.9CVSS5.8AI score0.00013EPSS

Exploits0References4Affected Software1

CNNVD•added 2026/05/17 12:0 a.m.•6 views

H2O 信息泄露漏洞

H2O is an open-source memory platform for distributed, scalable machine learning developed by H2O.ai. Versions of H2O 7402 and earlier contained a vulnerability known as information leakage, which originated from the importFiles function in the PersistNFS.java file within the ImportFile API...

7.5CVSS6AI score0.00013EPSS

Exploits0References2

OSV•added 2026/05/16 12:17 a.m.•4 views

OSV-2026-748 Heap-buffer-overflow in p11_lexer_next

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=513102821 Crash type: Heap-buffer-overflow READ 2 Crash state: p11lexernext p11persistread p11parserformatpersist...

OSV•added 2026/05/16 12:15 a.m.•5 views

OSV-2026-747 Heap-buffer-overflow in coap_persist_startup_lkd

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=513035615 Crash type: Heap-buffer-overflow READ 8 Crash state: coappersiststartuplkd persisttarget.c...

OSV•added 2026/05/12 4:20 a.m.•3 views

MAL-2026-3553 Malicious code in @uipath/llmgw-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0b2a10d3449dbb21333a81b53c4eab1037a00c862459fa93155f1bd9a94102ea Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSV•added 2026/05/12 2:56 a.m.•1 views

MAL-2026-3522 Malicious code in @uipath/access-policy-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 87fb4a7ca8257b97a21e311c9322a63b2691136e87c6a8ce12cc648890849f76 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSV•added 2026/05/12 12:7 a.m.•1 views

MAL-2026-3486 Malicious code in @tanstack/solid-start-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a9f623ce85c893266087d3eeb9812938d0f3eea0ddb33cd735589c104dafb8e2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/11 11:59 p.m.•4 views

Malicious code in @tanstack/vue-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 23dd073c586a2dad28ee9957fd8a3059bcbb261fbbb6a17e3b99a7145158ef8d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...