CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2025/11/25 12:16 a.m.•4 views

Malicious code in @posthog/heartbeat-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b0402071ebf395126c5e1e90681622f203d9744eca75a1f2061a6a2d030cdcc The package @posthog/heartbeat-plugin was found to contain malicious code. Source: google-open-source-security...

Packet Storm News•added 2025/11/25 12:0 a.m.•6 views

Exploits0References3

From One Attack Domain to Another: Contrastive Transfer Learning with Siamese Networks for APT Detection

Advanced Persistent Threats APT pose a major cybersecurity challenge due to their stealth, persistence, and adaptability. Traditional machine learning detectors struggle with class imbalance, high dimensional features, and scarce real world traces. They often lack transferability-performing well ...

6.8AI score

Exploits0

OSSF Malicious Packages•added 2025/11/24 11:6 p.m.•5 views

Malicious code in nitro-kutu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c730e64b459919c937231de7e767a99ceca04f35011b70d3d95c5616092dead The package nitro-kutu was found to contain malicious code. Source: ghsa-malware e49eaa55b0b2cddde2728a2d6cfcc512771af0fa1cf78903a09e11d7b564d972 Any...

OSSF Malicious Packages•added 2025/11/24 10:38 p.m.•4 views

Malicious code in victoria-wallet-type (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector db5621bc10f18615bd2282fd957a36730167a4e9318f35873c35258f033b2aad The package victoria-wallet-type was found to contain malicious code. Source: ghsa-malware...

OSSF Malicious Packages•added 2025/11/24 10:26 p.m.•4 views

Malicious code in obj-to-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16c28013383e05a71d5da9d3d7c0d685a6355e42251a9527e769061e13ce54bb The package obj-to-css was found to contain malicious code. Source: ghsa-malware ada9fa1c509e4ac91c240ba95d3953b53291943071c42aa967d243bd17682078 Any...

Github Security Blog•added 2025/11/24 10:13 p.m.•5 views

Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags

Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting XSS. Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is...

6.5CVSS5.6AI score0.00025EPSS

Exploits1References5Affected Software1

OSSF Malicious Packages•added 2025/11/24 1:47 p.m.•4 views

Malicious code in skills-use (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f974e3dc3206af78c8a6fd5370b73dc14d8edc1f052caa4992fdca5c5bac45ac The package skills-use was found to contain malicious code. Source: ghsa-malware 25e55ca30592985c5f31158f8bd68d19643e2b48db1cf4578a7da6ae380ed661 Any...

OSV•added 2025/11/24 12:36 p.m.•2 views

MAL-2025-190666 Malicious code in @ensdomains/content-hash (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39aeb9f2a2d9a8ee1c57695456c8af6657d069eaee694ef7f8c128bb292bfabd The package @ensdomains/content-hash was found to contain malicious code. Source: ghsa-malware...

6.8AI score

RedhatCVE•added 2025/11/21 12:31 p.m.•2 views

CVE-2025-40604

Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution...

9.8CVSS7.7AI score0.00025EPSS

NVD•added 2025/11/20 3:17 p.m.•1 views

CVE-2025-40604

9.8CVSS0.00025EPSS

OSV•added 2025/11/20 3:17 p.m.•1 views

CVE-2025-40604

9.8CVSS6AI score

Vulnrichment•added 2025/11/20 12:17 p.m.•1 views

CVE-2025-40604

7.6AI score0.00025EPSS

CVE•added 2025/11/20 12:17 p.m.•8 views

CVE-2025-40604

The CVE-2025-40604 affects SonicWall Email Security appliances. It describes a vulnerability where the device downloads root filesystem images without verifying signatures, enabling attackers with VMDK or datastore access to modify system files and achieve persistent arbitrary code execution. Pub...

9.8CVSS7.7AI score0.00025EPSS

Exploits0References1Affected Software1

Cvelist•added 2025/11/20 12:17 p.m.•3 views

CVE-2025-40604

0.00025EPSS

Cvelist•added 2025/11/19 4:20 p.m.•5 views

CVE-2025-34336 eGovFramework <= 4.3.1 Unauthenticated File Upload via Web Editor Image Upload Endpoints

eGovFramework/egovframe-common-components versions up to and including 4.3.1 contain an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without authentication, pass the...

6.9CVSS0.00731EPSS

Exploits2References5

RedHat Linux•added 2025/11/19 3:51 p.m.•0 views

aap-gateway: Improper Path Validation in Gateway Allows Credential Exfiltration

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash // prefix in the gatewaypath. A malicious or socially engineered administrator can configure a...

6.7CVSS5.7AI score0.00005EPSS