Lucene search
K

35666 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago6 views

Malicious code in marked-prettier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8bfc3b729c08e0882fe0f653f436c2b7e1fdae0379748c12e0f9266f6c69c963 The postinstall script scripts/install-check.cjs fetches a JSON config from https://trabalhos-flax.vercel.app/config/clob-math.json read from...

6.5AI score
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-61450

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS0.00246EPSS
Exploits0References2
CVE
CVE
added 3 days ago6 views

CVE-2026-61450

Grav prior to 2.0.2 contains a Twig sandbox bypass that enables a page author (including any admin.pages user or anyone with write access to user/pages) to exfiltrate configuration secrets. The sandbox replaces the config variable with a redacted facade and strips Config::get/toArray from the all...

7.1CVSS6.1AI score0.00246EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42903

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS6.1AI score0.00246EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-61450 Grav before 2.0.2 Config Exfiltration via offsetGet Filter

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS0.00246EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago6 views

Malicious code in execfences (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 974c5744c98a462c30d6c8dd3ca078461dc172244203e85d5290fa05660d2d1c The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

6.1AI score
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago7 views

Malicious code in nodemon-slint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5488028be686500c0af6b7f91ead55be9ddaeb86f3b920fce7eed6f8111b0050 Package name, README, homepage nodemon.io, author remy, and source tree are copied verbatim from the widely-used 'nodemon' package, with the addition...

6.1AI score
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-15378

A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...

9.3CVSS0.00424EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42858

A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...

9.3CVSS6.1AI score0.00424EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 3 days ago7 views

CVE-2026-15378

A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...

9.3CVSS6.1AI score0.00424EPSS
Exploits0References3
Veracode
Veracode
added 3 days ago6 views

Improper Authorization

Leantime is vulnerable to Improper Authorization. The vulnerability is due to missing authorization checks in the Users::getUser JSON-RPC API, where authenticated users can retrieve sensitive credential data for arbitrary user accounts, allowing attackers to obtain password hashes, TOTP secrets,...

8.6CVSS6.2AI score0.0025EPSS
Exploits0References4Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago9 views

Malicious code in nodemon-patch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 15ac606888cb1a54710bafa78dc76d760bef1088bb5e2cc0f0323614341345e5 The package is named nodemon-patch but its package.json metadata homepage https://nodemon.io, author Remy Sharp / github.com/remy, repository, fundin...

6.2AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago8 views

Malicious code in nodepack-daemon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b976e6ab638a52663d25f360bffec6706dc82991ad27c552788a5a4d785ff89f The package presents itself as the popular pino logger README badges, file layout mirroring pino's lib/proto.js, lib/redaction.js, lib/transport.js,...

6.5AI score
Exploits0References2
NVD
NVD
added 4 days ago8 views

CVE-2026-59832

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticat...

7.7CVSS0.00316EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in @kl-starfish/test-01 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6b554249a85dcce61ed69ed5552bd6486b14a3ab2d72b7b243638a8ea24a8339 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

6.1AI score
Exploits0References2
CVE
CVE
added 4 days ago9 views

CVE-2026-59832

SiYuan before 3.7.1 is affected by an authenticated path traversal in the /snippets/*filepath route (serveSnippets) where the handler in kernel/server/serve.go joins a single-decoded path with the snippets directory without subpath containment or sensitive-path checks, allowing requests like /sni...

7.7CVSS6AI score0.00316EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 4 days ago4 views

CVE-2026-59832

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticat...

7.7CVSS6AI score0.00316EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-59832 SiYuan: Authenticated path traversal in /snippets/ static handler (serveSnippets) leaks conf/conf.json secrets and siyuan.db

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticat...

7.7CVSS0.00316EPSS
Exploits0References3
Wolfi
Wolfi
added 4 days ago5 views

GHSA-FF52-PH69-CF7X vulnerabilities

Vulnerabilities for packages: nri-f5, aws-eks-pod-identity-agent, pulumi-language-dotnet, nodetaint, witness, chartmuseum, kubernetes-ingress-defaultbackend, vertical-pod-autoscaler, apko, pgpool2exporter, boring-registry, helm-set-status, cloudnative-pg, sops, k8s-device-plugin, k8sgpt, loki,...

6.1AI score
Exploits0
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42613

n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an HTTP Request node's pagination expression and...

7.1CVSS5.9AI score0.00303EPSS
Exploits0References3
Rows per page
Query Builder