Lucene search
K

557270 matches found

NVD
NVD
added 42 minutes ago3 views

CVE-2026-59214

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...

7.3CVSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 58 minutes ago2 views

Malicious code in lovable-tager (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f100c9dbac6f2e352e559d0eb06f573e971845cc083b80c61f211013e03973a lovable-tager is a single-character-deletion typosquat of the legitimate Vite plugin lovable-tagger. The ESM entry dist/index.js referenced by main...

6AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 1 hour ago2 views

Malicious code in cookie-parser-es (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1 Package name and metadata impersonate the widely-used cookie-parser middleware: README, API surface, and package.json author TJ Holowaychuk and...

5.9AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in multer-orm (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 489805f0242c070653fa4e09c782d8135971a370b3ae292d31d721507332a12f Package name impersonates the popular multer middleware and copies its README/repo metadata. On require'multer-orm', index.js loads lib/feature.js,...

6.1AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago3 views

Malicious code in express-router-engine (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70 The sole shipped file index.js is a heavily obfuscated RC4 + base64 string-array, 337-entry rotated array, control-flow flattening IIFE that executes...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in type-slint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b5cd26e040f4f4366ed65cca4b70258d276f781e0aab76b99b5573d4007a97d The npm package [email protected] masquerades as the pino logger copied module layout, exports as module.exports.pino, keywords fast/logger/stream/jso...

6AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in cursed-ecto-d3ab00 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49348969de68b56d680a46f67f817053621fa41a5220d8cd0bc1da720e77a5a1 The package has no legitimate functionality index.js is an empty module and exists solely to run an install-time attack payload. All four lifecycle...

6AI score
Exploits0References4
Cvelist
Cvelist
added 2 hours ago4 views

CVE-2026-59214 Open WebUI: Stored web worker XSS via Pyodide

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...

7.3CVSS
Exploits0References1
CVE
CVE
added 2 hours ago4 views

CVE-2026-59214

Open WebUI (self-hosted AI platform) before 0.10.0 is affected by a stored web worker XSS via Pyodide. The vulnerability arises when Pyodide runs in a same-origin web worker and stored chat payloads can cause authenticated same-origin requests through pyodide.http.pyfetch or the browser fetch/XML...

7.3CVSS6.1AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-59214

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...

7.3CVSS6.1AI score
Exploits0References2Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in polymarket-apis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd77c8861490c0b5607b4029f8f9e51f12efb83a6696fc51b953b0a3cde1356b The package impersonates the Polymarket brand name polymarket-apis, author polymarket but contains no Polymarket API integration. Its exported...

6.5AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago3 views

Malicious code in polymarket-trader-apis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54436b6dea3d66e295c1ca82184b4f4b904d8441a68e77845f37cbb039c5f3c9 [email protected] advertises itself as a Polymarket trading helper but its main entry is a remote code loader. The default-exported...

6.7AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in polymarket-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63a4eba33a56521a94e4e0b3ab2923d58b0c5cd398c791e36433536591a1d6ff Package name and description advertise a 'Polymarket API SDK', but the shipped code contains no Polymarket functionality. The exported getPlugin help...

6.6AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in es6-codify (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints dist/index.cjs and the ESM build execute a...

6AI score
Exploits0References8
Wordfence Blog
Wordfence Blog
added 2 hours ago3 views

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 29, 2026 to July 5, 2026)

Last week, there were 246 vulnerabilities disclosed in 179 WordPress Plugins and 40 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 100 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabiliti...

6.1AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in chai-as-buffered (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d136202d96267459c4bf3aaaf6c903d7bd2c491901b61dcf2f391a4612f951a [email protected] is a typosquat lure name resembles chai-as-promised; README and module exports impersonate the pino logger whose actual...

6.5AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in chai-deflect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4328eb627063ce40813ae27e3cb7ec1a967d17aa6c2bf045f0083d42e09352ea On require'chai-deflect', index.js top-level invokes launchDeflectBootstrap which detaches a child process running lib/caller.js. caller.js issues an...

6.6AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 hours ago2 views

Malicious code in chai-defender (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14f276305fd5e43b60bbfd1048d8792ef7f72734c28cfe533d368c0fc199a0fe On require'chai-defender', index.js invokes launchDeflectBootstrap which spawns a detached background node process running lib/caller.js. That proces...

6.7AI score
Exploits0References5
RedHat Linux
RedHat Linux
added 2 hours ago3 views

apache-cxf: org.apache.cxf/cxf-integration-jca: Apache CXF: Arbitrary code execution via JNDI Injection

A flaw was found in Apache CXF's JCA integration module. This Java Naming and Directory Interface JNDI Injection vulnerability allows for arbitrary code execution. A remote attacker could exploit this by manipulating the Java EE Connector Architecture JCA deployment descriptor ra.xml or runtime...

8.1CVSS6.4AI score0.00782EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2 hours ago4 views

org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames

A flaw was found in Apache Log4j Core. This vulnerability allows for log injection through the use of Carriage Return Line Feed CRLF sequences. This occurs because security-related configuration attributes were silently renamed, impacting users who directly configure Rfc5424Layout with stream-bas...

7.5CVSS6.4AI score0.00831EPSS
Exploits0References9
Rows per page
Query Builder