CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

AstraLinux•added 2026/05/20 5:53 a.m.•1 views

Astra Linux - уязвимость в thunderbird

When a worker is shut down, it was possible for the script to run late in the lifecycle, at a time when it should not be possible. This vulnerability affects Firefox 96, Thunderbird 91.6, and Firefox ESR 91.6...

8.8CVSS6.8AI score0.00493EPSS

NVD•added 2026/05/20 5:16 a.m.•14 views

CVE-2026-5075

The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wplocalizescript in post editor contexts without effective masking for...

4.3CVSS0.0003EPSS

CVE•added 2026/05/20 3:28 a.m.•10 views

CVE-2026-5075

The CVE-2026-5075 affects the WordPress plugin All in One SEO Pack (All in One SEO) up to version 4.9.7. The vulnerability is a Sensitive Information Exposure due to internalOptions data being passed to wp_localize_script() in post editor contexts without effective masking. This allows authentica...

4.3CVSS5.8AI score0.0003EPSS

Cvelist•added 2026/05/20 3:28 a.m.•32 views

CVE-2026-5075 All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data

4.3CVSS0.0003EPSS

EUVD•added 2026/05/20 3:28 a.m.•8 views

EUVD-2026-31059

4.3CVSS5.8AI score0.0003EPSS

ATTACKERKB•added 2026/05/20 3:28 a.m.•7 views

CVE-2026-5075

4.3CVSS5.8AI score0.0003EPSS

Exploits0References3

OSSF Malicious Packages•added 2026/05/20 2:36 a.m.•6 views

Malicious code in python-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b94c01fae325c5f5e92abd5da03527c54e22bb48202b1dc8b3e2c64947753b2 package.json declares "preinstall": "./dist/typecheck.js". The referenced file is not JavaScript — it is a 5,224,556-byte Linux x86 ELF executable...

6AI score

OSSF Malicious Packages•added 2026/05/20 2:32 a.m.•8 views

Malicious code in vestibulect (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e package.json declares a postinstall hook "postinstall": "node install.js" which executes install.js automatically on npm install. install.js imports ...

NVD•added 2026/05/20 2:16 a.m.•9 views

CVE-2026-8420

The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

6.1CVSS0.0002EPSS

Exploits0References9

NVD•added 2026/05/20 2:16 a.m.•16 views

CVE-2026-8038

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS0.00032EPSS

Exploits0References3

NVD•added 2026/05/20 2:16 a.m.•9 views

CVE-2026-6549

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

6.4CVSS0.00034EPSS

Exploits0References4

OSSF Malicious Packages•added 2026/05/20 2:11 a.m.•5 views

Malicious code in color-style-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087 On npm install, all three lifecycle hooks preinstall, install, postinstall execute postinstall.js, which harvests installer secrets and exfiltrates...

5.9AI score

Exploits0References6

OSSF Malicious Packages•added 2026/05/20 2:9 a.m.•9 views

Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

OSV•added 2026/05/20 2:9 a.m.•3 views

MAL-2026-4389 Malicious code in @flipbit2-bb/test-auth-state (npm)

OSV•added 2026/05/20 2:8 a.m.•3 views

MAL-2026-4379 Malicious code in @deadcode09284814/axios-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a On npm install, postinstall.js reads installer-owned secrets — SSH private keys idrsa, ided25519, iddsa, config, authorizedkeys, knownhosts,...