Lucene search
K

67 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/27 2:32 a.m.9 views

Malicious code in chai-as-persisted (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709 The package's postinstall script npm run smoke:pino executes index.js, which spawns a detached node lib/initializeCaller.js child. That module hides...

6AI score
Exploits0References3
OSV
OSV
added 2026/06/27 2:32 a.m.3 views

MAL-2026-6544 Malicious code in chai-as-persisted (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709 The package's postinstall script npm run smoke:pino executes index.js, which spawns a detached node lib/initializeCaller.js child. That module hides...

6AI score
Exploits0References3
NVD
NVD
added 2026/06/12 9:16 p.m.14 views

CVE-2026-54396

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...

5.3CVSS0.00247EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:48 p.m.6 views

CVE-2026-54396 MISP AuthKey edit endpoint allows authenticated user email enumeration

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...

5.3CVSS5.5AI score0.00247EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 8:48 p.m.29 views

CVE-2026-54396 MISP AuthKey edit endpoint allows authenticated user email enumeration

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...

5.3CVSS0.00247EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:48 p.m.12 views

EUVD-2026-36572

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...

5.3CVSS5.5AI score0.00247EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.24 views

PT-2026-48998

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An information disclosure issue exists in the AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown is populated using the AuthKey.user id...

5.3CVSS5.4AI score0.00247EPSS
Exploits0References3
Spring Security Advisories
Spring Security Advisories
added 2026/06/11 12:0 a.m.19 views

CVE-2026-41862: Kryo deserialization of persisted context without class allowlist

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM...

8.8CVSS6.2AI score0.00423EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/08 3:5 p.m.8 views

CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement

Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...

7.1CVSS5.5AI score0.00271EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.8 views

CVE-2026-41172

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as ...

8.6CVSS5.6AI score0.00215EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.8 views

CVE-2026-41524

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive !! !!. Any JavaScript or HTML injected by an editor-ro...

8.7CVSS5.4AI score0.00207EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 8:17 a.m.12 views

Malicious code in oh-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037 The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding...

5.5AI score
Exploits0References18
NVD
NVD
added 2026/05/15 7:17 p.m.16 views

CVE-2026-44826

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positi...

7.5CVSS0.00213EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.13 views

PT-2026-40298

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, when SoapServer is configured with SOAP PERSISTENCE SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the...

9.8CVSS5.8AI score0.00302EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/05 8:21 p.m.6 views

CVE-2026-41686

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes...

4.8CVSS5.7AI score0.00119EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/29 10:28 p.m.5 views

Incorrect Permission Assignment for Critical Resource

Overview @anthropic-ai/sdk is a The official TypeScript library for the Anthropic API Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the BetaLocalFilesystemMemoryTool that creates memory files and directories using the Node.js default...

6.9CVSS5.8AI score0.00119EPSS
Exploits0References2
Veracode
Veracode
added 2026/04/04 5:35 a.m.6 views

Insecure File Permissions

Claude SDK for Python is vulnerable to insecure file permissions. The vulnerability is due to the memory tool creating files with mode 0o666, where the files are world‑readable on systems with a standard umask and world‑writable in environments with a permissive umask, and a local attacker on a...

4.8CVSS5.9AI score0.00122EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/03 9:42 p.m.2 views

GHSA-GFMV-VH34-H2X5 Signal K Server: Unauthenticated Source Priorities Manipulation

Summary The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns...

7.5CVSS5.9AI score0.0031EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/03 8:6 p.m.2 views

CVE-2026-25726

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now.UnixNano to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated...

8.1CVSS5.8AI score0.00376EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/04/03 3:26 a.m.5 views

Always-Incorrect Control Flow Implementation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation via the onboarding process. An attacker can obtain gateway credentials by leveraging a scenario where a previously discovered endpoint persist...

6.9CVSS5.9AI score0.00252EPSS
Exploits0References2
Rows per page
Query Builder