CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/04/06 4:24 p.m.•5 views

Malicious code in frontend-backoffice (npm)

Malicious package due to arbitrary command execution, data exfiltration to Telegram, and a suspicious preinstall script executing code on installation. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f06949fafe41d4b38a42b1c5573750638b411c02b6edcb1958f3f5aad933d...

6AI score

OSV•added 2026/04/06 4:24 p.m.•4 views

MAL-2026-2525 Malicious code in frontend-backoffice (npm)

6AI score

The Hacker News•added 2026/04/06 4:24 p.m.•5 views

DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

Threat actors likely associated with the Democratic People's Republic of Korea DPRK have been observed using GitHub as command-and-control C2 infrastructure in multi-stage attacks targeting organizations in South Korea. The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows...

6.1AI score

Exploits0

OSSF Malicious Packages•added 2026/04/06 4:16 p.m.•2 views

Malicious code in use-form-builder-plugin (npm)

Package is malware. Collects system info, exfiltrates data via HTTP/DNS, executes commands, and uses preinstall script for auto-execution. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bdced38cb2f5f34bb91f39b16697369424bf1cbde84ca18363e78454b31d6ddc The packag...

OSV•added 2026/04/06 4:16 p.m.•1 views

Exploits0References2

MAL-2026-2529 Malicious code in use-form-builder-plugin (npm)

OSSF Malicious Packages•added 2026/04/06 4:13 p.m.•2 views

Exploits0References2

Malicious code in a2a-chat-canvas (npm)

Malicious package due to suspicious callback URL, hostname exfiltration, preinstall script execution, and only one published version. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d466a45c588940f8279288c439a4665d5368f0a7642c966de8e9fd307bc028b3 The package...

OSV•added 2026/04/06 4:13 p.m.•1 views

MAL-2026-2524 Malicious code in a2a-chat-canvas (npm)

Snyk•added 2026/04/06 4:10 p.m.•2 views

Improper Encoding or Escaping of Output

Overview glpi/glpi is a free Asset and IT Management Software package with ITIL Service Desk, licenses tracking and software auditing. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the Website field in the supplier component. An attacker can execu...

8.6CVSS6.1AI score0.00013EPSS

Exploits0References2

NVD•added 2026/04/06 3:17 p.m.•1 views

CVE-2026-25932

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24...

7.2CVSS0.00013EPSS

CVE•added 2026/04/06 1:45 p.m.•4 views

CVE-2026-5660

CVE-2026-5660 affects itsourcecode Construction Management System 1.0. The vulnerability is an SQL injection in the Parameter Handler’s unknown function for the file /borrowed_equip.php, triggered by manipulating the emp argument. This may be exploited remotely, with exploit maturity listed as PR...

6.5CVSS6.5AI score0.00036EPSS

RedhatCVE•added 2026/04/06 10:57 a.m.•1 views

CVE-2026-5555

A weakness has been identified in code-projects Concert Ticket Reservation System 1.0. This affects an unknown part of the file /ConcertTicketReservationSystem-master/login.php of the component Parameter Handler. Executing a manipulation of the argument Email can lead to sql injection. The attack...

7.5CVSS6.9AI score0.00043EPSS

NVD•added 2026/04/06 10:16 a.m.•7 views

CVE-2026-5642

A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It ...

7.5CVSS0.00058EPSS

Cvelist•added 2026/04/06 10:15 a.m.•26 views

CVE-2026-5645 projectworlds Car Rental System Parameter pay.php sql injection

A weakness has been identified in projectworlds Car Rental System 1.0. Affected by this vulnerability is an unknown functionality of the file /pay.php of the component Parameter Handler. Executing a manipulation of the argument mpesa can lead to sql injection. The attack can be launched remotely...

7.5CVSS0.0004EPSS

Exploits0References4

ATTACKERKB•added 2026/04/06 10:0 a.m.•3 views

CVE-2026-5644

A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $SERVER'PHPSELF' results in cross site scripting...

4.8CVSS4.4AI score0.00035EPSS

ATTACKERKB•added 2026/04/06 9:30 a.m.•3 views

CVE-2026-5642

7.5CVSS6.8AI score0.00058EPSS

OSV•added 2026/04/06 9:20 a.m.•1 views

MAL-2026-2500 Malicious code in totally-safe-util (npm)

Multiple suspicious behaviors: postinstall script, hex obfuscation, OS command execution to open a Rickroll, and attempt to hide execution. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d45a8a1395a8ff66e2ea74cacd9d8de0ebaa9e88e0170a6907b3e4861a2acc5 The packa...

5.9AI score

ATTACKERKB•added 2026/04/06 8:45 a.m.•1 views

CVE-2026-5639

A flaw has been found in PHPGurukul Online Shopping Portal Project 2.1. Impacted is an unknown function of the file /admin/update-image3.php of the component Parameter Handler. Executing a manipulation of the argument filename can lead to sql injection. The attack can be executed remotely. The...

6.5CVSS5.8AI score0.00012EPSS

Exploits0References5Affected Software1

Vulnrichment•added 2026/04/06 8:45 a.m.•0 views

CVE-2026-5639 PHPGurukul Online Shopping Portal Project Parameter update-image3.php sql injection

6.5CVSS6.5AI score0.00012EPSS