Lucene search
K

58 matches found

Metasploit
Metasploit
added 4 days ago12 views

FTP Fetch, Linux Command Shell, Reverse TCP Stager

Fetch and execute a x86 payload from an FTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/ftp/x86/shell/reversenonxtcp msf payloadreversenonxtcp show actions ...actions... msf payloadreversenonxtcp set ACTION msf payloadreversenonxtcp...

6.2AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago8 views

Malicious code in vite-pwa-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0 Package vite-pwa-config impersonates the popular vite-plugin-pwa antfu — the README instructs users to import configJson from vite-plugin-pwa, and...

6.6AI score
Exploits0References2
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-553 TorchServe Server-Side Request Forgery vulnerability

Impact Remote Server-Side Request Forgery SSRF Issue: TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and...

9.8CVSS5.8AI score0.35256EPSS
Exploits6References8
OSV
OSV
added 2026/06/26 9:19 p.m.14 views

MAL-2026-6539 Malicious code in db-query-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4928f7d380b79104d997e7666603726873158508c38d2c75a90c7529dd196be3 The package presents itself as a database query helper but index.js defines a method queryDBConnect that base64-decodes a hardcoded URL pointing to...

6.2AI score
Exploits0References3
OSV
OSV
added 2026/06/26 6:16 p.m.6 views

MAL-2026-6533 Malicious code in react-dynamic-table-compenent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c55ead8b66faca1e08b2babafa252da2371b535c010a5c14d8b0d0e2a44aadf8 Package name misspells 'component' as 'compenent', a one-letter typosquat of react-dynamic-table-component. The package's postinstall script runs nod...

6.2AI score
Exploits0References2
NVD
NVD
added 2026/06/24 8:16 p.m.5 views

CVE-2026-47389

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.privateaddress? returns false for IPv4-mapped IPv6 addresses ::ffff:a.b.c.d corresponding to some private IPv4 addresses,...

8.6CVSS0.00232EPSS
Exploits0References1
OSV
OSV
added 2026/06/23 4:22 p.m.7 views

MAL-2026-6306 Malicious code in @gleamkit/probe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aaef237007e5d89031d334bf56a29892c7d6103aba9563b040556eea20ef2cfa No suspicious behaviors were detected in this package. There are no lifecycle scripts performing remote fetches, no credential or environment scrapin...

6.1AI score
Exploits0References2
OSV
OSV
added 2026/06/16 10:22 p.m.6 views

MAL-2026-5930 Malicious code in bubblestr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172 package.json declares "postinstall": "node index.js", and index.js is a heavily obfuscated single-file script RC4+base64 string-array with rotating...

6AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 10:22 p.m.12 views

Malicious code in bubblestr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172 package.json declares "postinstall": "node index.js", and index.js is a heavily obfuscated single-file script RC4+base64 string-array with rotating...

6AI score
Exploits0References2
OSV
OSV
added 2026/06/16 4:22 p.m.20 views

MAL-2026-5902 Malicious code in chai-as-tokenized (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55c10da182a0c79ca5eb0f85c6b2e334b7ee4e90946dfcc34feb44e80afa4485 Package name impersonates chai-as-promised, and the README is a copy of pino's documentation, but the actual code is a remote-code-execution dropper...

6.3AI score
Exploits0References2
OSV
OSV
added 2026/06/03 9:16 p.m.13 views

GHSA-JMMV-H3MP-59V8 Docling Core: Unsafe remote filename resolution

Impact In versions = 1.5.0, = 2.74.1 Workarounds If upgrading is not immediately possible, avoid passing untrusted URLs into remote fetch functionality. References - Fix release: v2.74.1...

8.6CVSS5.8AI score0.00055EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/03 9:15 p.m.12 views

External Control of File Name or Path

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to External Control of File Name or Path in backend/htmlbackend.py‎, which ...

7.1CVSS5.5AI score0.00217EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/03 9:15 p.m.13 views

Docling: Unsafe URI and Path Handling in HTML Backend

Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted file:// URIs enabling local file system access when enablelocalfetch=True - Path resolution allowed traversal outside intended directories via ../ sequences and absolute paths - Did not block intern...

7.1CVSS5.8AI score0.00217EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.15 views

PT-2026-46104

Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted file:// URIs enabling local file system access when enable local fetch=True - Path resolution allowed traversal outside intended directories via ../ sequences and absolute paths - Did not block...

7.1CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.21 views

PT-2026-46127

Name of the Vulnerable Software and Affected Versions Docling versions prior to 2.94.0 Description The HTML backend fails to perform sufficient validation during resource handling. This allows local file system access via file:// URIs when enable local fetch is set to True, and enables path...

7.1CVSS5.8AI score0.00217EPSS
Exploits0References8
OSV
OSV
added 2026/05/28 6:27 p.m.8 views

GHSA-W76H-Q7C6-JPJP compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem

A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. Finding 1 Critical: SSRF CWE-918 The HTTPSFetcher.dofetch method passes a user-supplied URL directly to requests.get without validation. This allows an attacker to...

6.7CVSS6AI score0.00012EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/27 10:57 p.m.18 views

compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal

Summary The compliance-trestle library's remote fetching cache mechanism HTTPSFetcher and SFTPFetcher constructs the local cache file path from the URL path component without sanitizing path traversal sequences ../. When a remote OSCAL profile references a URL with traversal in its path, the HTTP...

6.4AI score0.00047EPSS
Exploits0References4Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 2:34 p.m.20 views

Malicious code in chainix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 93d9609d2eac0c0ff33aed557171138930255798aa649fa648b04814c8cb1908 Package presents itself as a pino-compatible logger README badges link to pinojs/pino, exports alias module.exports.pino = middleware but its exporte...

6.4AI score
Exploits0References2
OSV
OSV
added 2026/05/21 4:39 a.m.8 views

MAL-2026-4472 Malicious code in @zhengshuo888/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab On npm install, the package's postinstall hook runs node bin/huoke.js install-skill, which uses execSync to invoke curl -fsSL against...

5.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 8:46 p.m.12 views

Malicious code in chain-async-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6 chain-async-test impersonates the legitimate chain-async library copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; t...

6.2AI score
Exploits0References1
Rows per page
Query Builder