Exploit for CVE-2026-20262

cve-id ⚡ Simple Usage Use this project only in safe and...

PT-2026-49342

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.10.0 Description The Shareable Playground feature, also known as Public Flows, allows unauthenticated users to execute workflows via a public link. A flaw in this feature enables arbitrary file reading depending on...

📄 Drupal core 10.5.5 JSON:API PostgreSQL Error-Based SQL Injection

This code demonstrates a research-oriented implementation targeting a reported SQL injection condition in Drupal JSON:API endpoints backed by PostgreSQL. ================================================================================================================================== | Title :...

Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...

MAL-2026-5470 Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...

Malicious code in @rockawayx/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...

MAL-2026-5462 Malicious code in @rockawayx/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...

MAL-2026-5416 Malicious code in @klapp-otp/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee On npm install, this package auto-executes index.js via the preinstall lifecycle hook. The script collects os.hostname, os.userInfo, dirname,...

MAL-2026-5421 Malicious code in @nstrlabs/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0b1375de7b44594cd3760efb91cb94c8c8b7137322f4597114e314ce5e14e45 On npm install, package.json runs preinstall: node index.js || true, unconditionally executing index.js. The script collects host identity fields...

Malicious code in @nstrlabs/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 608be3457e7c809e60c1b76b9406489652f0ef708bfb97db2b6e0bb92b6836c2 On npm install, the package's preinstall hook node index.js || true, declared in package.json automatically collects host identifiers — os.hostname,...

MAL-2026-5427 Malicious code in @payment-review/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d624eaefbb0245bf0c9a7b598c461a3ba5ec48005cfec223898062741ef8c2e package.json declares preinstall: node index.js || true, so installing the package automatically runs index.js on npm install. The script collects ho...

MAL-2026-5407 Malicious code in @card-pci-data/store (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871 On npm install, the package's preinstall hook scripts.preinstall: node index.js || true runs index.js which collects host identity — os.hostname,...

Exploit for Improper Access Control in Apple Ipad_Os

CVE-2024-0258 Research Technical research notes, reverse engi...

CVE-2026-44289

creationtimestamp| type| source ---|---|--- 2026-06-05 08:33:42+00:00| published-proof-of-concept| https://www.cyera.com/research/proto6-the-schema-was-not-supposed-to-run 2026-06-10 09:00:04+00:00| published-proof-of-concept| Telegram/ZHpMnVOz2cJfIOonPjLT3mqz43XsQAtrT-ty2tkYMtXDqE...

exploit-validator

$repo Production-grade offensive security tool for Purpose...

📄 WebRemoteControl Unauthenticated Remote Filesystem Access

Proof of concept tool that demonstrates how WebRemoteControl suffers from unauthenticated remote filesystem access and potential remote code execution. ================================================================================================================================== | Title :...

Exploit for CVE-2022-42005

Tesla Security Research Vulnerability research on the Tesla M...

Exploit for CVE-2025-66478

CVE-2025-66478-Research-Proof-of-Concept Overview This re...

sqli_exploit

S...

Malicious code in skills-detector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 844190b21455d308d6e2b5305ebe92634d80b55817290a84644a1048df0e54b3 On npm install, postinstall.js executes whoami and id via childprocess.execSync, collects os.hostname, os.platform, current working directory, and th...