Lucene search
K

111398 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 1 hour ago5 views

Malicious code in polymarket-kelly-math-stake (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f2cf5ba9cd75b1a773e3a04e6eb45778894e04fd1d55b2e8ad03ae97deb41d16 [email protected] runs a postinstall script scripts/install-check.cjs that fetches a JSON config from...

6.3AI score
Exploits0References1
GithubExploit
GithubExploit
added 3 hours ago10 views

Exploit for Deserialization of Untrusted Data in Apache Camel

camel-jms Forged DefaultExchangeHolder Filter-Bypass Reproduce...

9.8CVSS6.2AI score0.00881EPSS
Exploits2
NVD
NVD
added 4 hours ago7 views

CVE-2026-61875

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders...

8.8CVSS
Exploits0References2
Cvelist
Cvelist
added 4 hours ago8 views

CVE-2026-61875 luci-app-upnp Stored XSS via UPnP Port Mapping Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders...

8.8CVSS
Exploits0References2
CVE
CVE
added 4 hours ago8 views

CVE-2026-61875

The vulnerability is in luci-app-upnp (OpenWrt LuCI) and is a stored cross-site scripting (XSS) flaw in the UPnP IGD AddPortMapping SOAP request. An unauthenticated LAN client can submit malicious HTML in the NewPortMappingDescription field; miniupnpd stores it and luci-app-upnp renders it withou...

8.8CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 4 hours ago7 views

EUVD-2026-43235

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders...

8.8CVSS6.1AI score
Exploits0References2
GithubExploit
GithubExploit
added 7 hours ago21 views

Exploit for CVE-2026-4631

CVE-2026-4631 — Cockpit Mass Exploit Tool Unauthenticated...

9.8CVSS6.8AI score0.142EPSS
Exploits4
GithubExploit
GithubExploit
added 9 hours ago24 views

Exploit for CVE-2026-21055

CVE-2026-21055 PoC — Samsung Bixby Improper Component Export...

8.5CVSS6.4AI score0.00121EPSS
Exploits1
Nuclei
Nuclei
added 13 hours ago105 views

Fastjson Insecure Deserialization - Remote Code Execution

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

10CVSS7.4AI score0.3897EPSS
Exploits2References6
Nuclei
Nuclei
added 13 hours ago54 views

EspoCRM <= 9.3.3 - Server-Side Request Forgery

EspoCRM = 9.3.3 contains an authenticated server-side request forgery caused by improper internal-host validation using alternative IPv4 formats in HostCheck::isNotInternalHost, letting authenticated users access internal resources via /api/v1/Attachment/fromImageUrl endpoint. id: CVE-2026-33534...

4.3CVSS6.1AI score0.01978EPSS
Exploits5References2
Nuclei
Nuclei
added 13 hours ago21 views

OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

10CVSS7.2AI score0.99999EPSS
Exploits10References2
Nuclei
Nuclei
added 13 hours ago9 views

Custom Field Manager WordPress - Cross-Site Scripting

Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12873 info: name: Custom Field Manager...

6.1CVSS7.1AI score0.0053EPSS
Exploits1References2
Nuclei
Nuclei
added 13 hours ago68 views

PrestaShop - SQL Injection to Eval Injection

PrestaShop versions from 1.6.0.10 and before 1.7.8.7 contain an SQL injection caused by unsanitized user input, letting attackers chain the vulnerability to call PHP's Eval function, exploit requires attacker to send malicious input. id: CVE-2022-31181 info: name: PrestaShop - SQL Injection to Ev...

9.8CVSS7AI score0.0517EPSS
Exploits2References4
Nuclei
Nuclei
added 13 hours ago30 views

WordPress Meta SEO <= 4.5.2 - Open Redirect

The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability. id: CVE-2023-0876 info: name: WordPress Meta SEO = 4.5.2 - Open Redirect author: Khalid6468 severity:...

6.1CVSS6.5AI score0.00713EPSS
Exploits2References2
Nuclei
Nuclei
added 13 hours ago156 views

NestJS DevTools Integration - Remote Code Execution

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...

9.4CVSS7.5AI score0.43921EPSS
Exploits4References3
Nuclei
Nuclei
added 13 hours ago171 views

User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation

The User Registration & Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 4.1.1. This is due to insufficient restrictions on role type in the 'preparemembersdata' function. This makes it possible for unauthenticated attackers to create newuser...

8.1CVSS7AI score0.44565EPSS
Exploits7References3
Nuclei
Nuclei
added 13 hours ago139 views

Shopware < 6.5.8.13 - SQL Injection

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" ...

6.8CVSS6.1AI score0.1198EPSS
Exploits1References2
Nuclei
Nuclei
added 13 hours ago49 views

Contact Form Entries < 1.2.4 - Cross-Site Scripting

The plugin does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page id: CVE-2021-25079 info: name: Contact Form Entries 1.2.4 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | The...

6.1CVSS6.4AI score0.0682EPSS
Exploits4References4
Nuclei
Nuclei
added 13 hours ago133 views

Carel pCOWeb <B1.2.4 - Cross-Site Scripting

Carel pCOWeb prior to B1.2.4 is vulnerable to stored cross-site scripting, as demonstrated by the config/pwsnmp.html "System contact" field. id: CVE-2019-11370 info: name: Carel pCOWeb B1.2.4 - Cross-Site Scripting author: arafatansari severity: medium description: | Carel pCOWeb prior to B1.2.4 ...

5.4CVSS6.2AI score0.03977EPSS
Exploits1References4
Nuclei
Nuclei
added 13 hours ago152 views

Dreambox WebControl 2.0.0 - Cross-Site Scripting

Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI. id: CVE-2017-15287 info: name: Dreambox WebControl 2.0.0 - Cross-Site Scripting author:...

6.1CVSS6.3AI score0.05568EPSS
Exploits5References4
Rows per page
Query Builder