CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/05/20 2:9 a.m.•9 views

Malicious code in @flipbit2-bb/test-auth-state (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63 On npm install, a postinstall script phone-home.js collects os.hostname, os.userInfo.username, process.platform + os.release, a timestamp, and a...

OSV•added 2026/05/20 2:9 a.m.•3 views

Exploits0References1

MAL-2026-4389 Malicious code in @flipbit2-bb/test-auth-state (npm)

OSV•added 2026/05/20 2:8 a.m.•3 views

Exploits0References1

MAL-2026-4379 Malicious code in @deadcode09284814/axios-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 76075552edfad08b87789f2594dc666cdf4bf992e590c78cbfb0090446fca42a On npm install, postinstall.js reads installer-owned secrets — SSH private keys idrsa, ided25519, iddsa, config, authorizedkeys, knownhosts,...

OSV•added 2026/05/20 2:7 a.m.•3 views

Exploits0References2

MAL-2026-4517 Malicious code in chalk-tempalte (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7 Package name chalk-tempalte is a single-character transposition of the popular chalk-template package a top-tier npm utility, consistent with...

5.9AI score

OSSF Malicious Packages•added 2026/05/20 2:7 a.m.•7 views

Malicious code in chalk-tempalte (npm)

5.9AI score

CVE•added 2026/05/20 1:25 a.m.•8 views

CVE-2026-6395

CVE-2026-6395 affects the WordPress plugin Word 2 Cash up to version 0.9.2. The root cause is the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the...

6.1CVSS6AI score0.00028EPSS

Exploits0References7

Cvelist•added 2026/05/20 1:25 a.m.•36 views

CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

6.4CVSS0.00034EPSS

Exploits0References4

ATTACKERKB•added 2026/05/20 1:25 a.m.•3 views

CVE-2026-6399

The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitizetextfield for output escaping in the Contact Number adcontactnumber field — a function that strips HTML tags but does not encode...

4.4CVSS6AI score0.00039EPSS

Cvelist•added 2026/05/20 1:25 a.m.•32 views

CVE-2026-8419 Amazon Scraper <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update

The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

4.3CVSS0.0002EPSS

EUVD•added 2026/05/20 1:25 a.m.•4 views

EUVD-2026-31037

4.3CVSS5.7AI score0.0002EPSS

EUVD•added 2026/05/20 1:25 a.m.•10 views

EUVD-2026-31031

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attackers...

6.1CVSS5.7AI score0.0002EPSS

Vulnrichment•added 2026/05/20 1:25 a.m.•5 views

CVE-2026-8420 BLOGCHAT Chat System <= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update

The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

6.1CVSS5.7AI score0.0002EPSS

ATTACKERKB•added 2026/05/20 1:25 a.m.•2 views

CVE-2026-6404

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomifyapikey' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitizetextfie...

4.4CVSS6AI score0.00044EPSS

Exploits0References8

Cvelist•added 2026/05/20 1:25 a.m.•33 views

CVE-2026-6397 Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

6.4CVSS0.00036EPSS

Exploits0References5

ATTACKERKB•added 2026/05/20 1:25 a.m.•3 views

CVE-2026-6397

6.4CVSS6AI score0.00036EPSS

OSSF Malicious Packages•added 2026/05/20 1:3 a.m.•8 views

Malicious code in customerdigital-ui-containers-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a314a5b253dcb30b2781bda216266b7ab1b49b62eec416bd9be07b48ab46a348 On npm install, postinstall.js collects git identity, OS user/uid, hostname, internal network interface addresses, Cloudflare Pages environment...

OSSF Malicious Packages•added 2026/05/20 12:22 a.m.•6 views

Exploits0References2

Malicious code in crypto-javascript (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8 Package name typosquats the widely-used crypto-js library and mirrors its API surface, README, and repository references to appear legitimate...