CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

86 matches found

CVE-2026-47209 vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object...

8.6CVSS5.2AI score

Exploits0References3

CVE•added 8 hours ago•13 views

CVE-2026-47209

vm2 (Node.js sandbox) had a vulnerability in the BaseHandler.set trap that ignores the receiver parameter and always writes to the host target, enabling inherited-property writes to leak onto host objects via prototype chains. This can allow attackers to assign Symbol-keyed properties (e.g., node...

8.6CVSS5.2AI score

Exploits0References3

AlpineLinux•added 2026/06/04 4:41 p.m.•6 views

CVE-2026-50292

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution...

9.8CVSS6.1AI score0.00071EPSS

Exploits0References3

Cvelist•added 2026/04/10 4:8 p.m.•22 views

CVE-2026-35601 Vikunja has an iCalendar Property Injection via CRLF in CalDAV Task Output

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

4.1CVSS0.00032EPSS

Exploits1References3

EUVD•added 2026/04/10 3:35 p.m.•1 views

EUVD-2026-21428

Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output...

4.1CVSS5.8AI score0.00032EPSS

Exploits1References3

OSV•added 2026/04/10 3:35 p.m.•2 views

GHSA-2G7H-7RQR-9P4R Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output

Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as...

4.1CVSS5.9AI score0.00032EPSS

Exploits1References5

Vulnrichment•added 2026/04/08 10:17 p.m.•1 views

CVE-2026-3199 Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection

A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control...

9.4CVSS6.1AI score0.00088EPSS

Exploits0References2

Cvelist•added 2026/04/08 10:17 p.m.•20 views

CVE-2026-3199 Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection

9.4CVSS0.00088EPSS

Exploits0References2

CVE•added 2026/04/08 10:17 p.m.•11 views

CVE-2026-3199

CVE-2026-3199 is an authenticated remote code execution flaw in Sonatype Nexus Repository’s task management component, affecting versions 3.22.1 through 3.90.2. An attacker with task creation permissions can bypass nexus.scripts.allowCreation and execute arbitrary code. The connected CVE records ...

9.4CVSS6.1AI score0.00088EPSS

Exploits0References2

CNNVD•added 2026/03/04 12:0 a.m.•4 views

Hono 安全漏洞

Hono is a web framework written in TypeScript for the Hono community. Versions of Hono prior to 4.12.4 contained security vulnerabilities. These vulnerabilities stemmed from the setCookie tool, which did not validate the semicolons, line breaks, or newlines in the domain and path parameters when...

5.4CVSS5.8AI score0.0004EPSS

Exploits0References2

Tenable Nessus•added 2025/11/07 12:0 a.m.•1 views

Lexmark Printers Denial of Service (CVE-2019-11358)

jQuery before 3.4.0 mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. This can lead to a denial of service, remote code execution, or property injection...

6.1CVSS7.1AI score0.01319EPSS

Exploits4References2

Snyk•added 2025/11/05 12:52 a.m.•2 views

Prototype Pollution

Overview expr-eval is a Mathematical expression evaluator Affected versions of this package are vulnerable to Prototype Pollution via unrestricted member access IMEMBER and user-defined functions IFUNDEF in the expression evaluator. An attacker can execute arbitrary JavaScript code by providing...

9.8CVSS8.1AI score0.00079EPSS

Exploits0References3

EUVD•added 2025/10/07 12:30 a.m.•5 views

EUVD-2021-1008

Malware in sbrugna...

8.8CVSS8.1AI score0.49565EPSS

Exploits1References3

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2019-0238

Malware in sbrugna...

9.8CVSS9.3AI score0.00437EPSS

Exploits1References5