Lucene search
K

227 matches found

NVD
NVD
added 6 days ago9 views

CVE-2026-56776

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/workflowId/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real...

7.4CVSS0.00161EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-56776 n8n - Incorrect OAuth Scope Validation in Workflow Test Run Endpoint

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/workflowId/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real...

7.4CVSS0.00161EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 7:28 a.m.15 views

MAL-2026-6590 Malicious code in envfile-sync-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 097a9a647e6d99cd53b881cae4fdd747d03b319388107c946c70b8804d3d917b On every import of envfile-sync-cli, src/index.js calls process.dlopen on bin/native/parser.node — a 2.9MB Windows PE executable sha256...

5.8AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/18 10:28 p.m.12 views

Malicious code in clx-cookie-signature (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e0e91601d276764067b1b209efd17a1f59ef03ff4fc814bcb22c495f4a0f9b3 Package impersonates the popular cookie-signature library copying its README, author field 'TJ Holowaychuk ', and sign/unsign API, but index.js adds ...

6AI score
Exploits0References2
OSV
OSV
added 2026/06/18 8:10 p.m.6 views

GHSA-CWPP-5962-Q4F6 OpenClaw: Exec allowlist could miss side effects from transparent command wrappers

Summary Exec allowlist could miss side effects from transparent command wrappers. In affected versions, a command request that reaches the exec allowlist path could be evaluated against the inner command while the wrapper invocation still executed. This advisory is scoped to the named feature and...

4.3CVSS5.7AI score0.00185EPSS
Exploits0References4
CVE
CVE
added 2026/06/16 9:38 p.m.18 views

CVE-2026-48783

CVE-2026-48783 affects Postiz prior to version 2.21.8. An unauthenticated endpoint (/public/modify-subscription) accepted a signed token and applied subscription-enforcement side effects to the organization in the token’s claims without verifying the token’s intended purpose. The endpoint could n...

4.8CVSS5.3AI score0.0017EPSS
Exploits0References4
OSV
OSV
added 2026/06/16 6:59 p.m.9 views

GHSA-HV7X-3X78-GX53 n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint

Impact The POST /workflows/workflowId/test-runs/new endpoint authorized access using workflow:read rather than workflow:execute. An authenticated user with read-only access to a workflow could trigger a real evaluation test run, causing the workflow to execute via the internal workflow runner. Th...

7.4CVSS5.7AI score0.00161EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 8:17 p.m.22 views

Malicious code in postcss-minify-selector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc7341d6762a6209e4bde3d99f31f1a8650b6971e64a19547b9f35e7a51abb3 Package is published as postcss-minify-selector singular but its internal postcss plugin identifier is postcss-minify-selectors plural — the canonica...

5.8AI score
Exploits0References13
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/09 3:58 p.m.20 views

Malicious code in @sql-access/nodesql (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2acee7592879b9eab377fb8e97a1fa2949b298f4418d37fb963e157971638c90 @sql-access/[email protected] is a decoy package whose identity, README, and code do not match. The package name and keywords advertise SQL/Node...

6AI score
Exploits0References18
Spring Security Advisories
Spring Security Advisories
added 2026/06/09 12:0 a.m.7 views

cve-2026-41731 - HIGH - In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

cve-2026-41731 - HIGH - In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization...

8.1CVSS6.1AI score0.00489EPSS
Exploits0
Packet Storm News
Packet Storm News
added 2026/06/01 12:0 a.m.71 views

SkillGuard: A Permission Framework for Agent Skills

Agent skills extend LLM agents with reusable instructions, scripts, tool bindings, and contextual dependencies. However, current skill ecosystems largely rely on trust-based loading and static inspection, leaving a gap between what a skill can inject into an agent's context and what it can cause...

5.8AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 9:37 a.m.13 views

Malicious code in noteparse (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 270d4c797fe34bc0b9598608f45add8721f1fa80d1488e4fae750e3a7b38419e noteparse 1.1.27 ships live MinIO credentials in configReader.py endpoint uicfile.uniview.com, accesskey 'uicpro', secretkey 'uicpropass123' that are...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/21 8:5 p.m.10 views

MAL-2026-4416 Malicious code in @ornexus/neocortex (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bb66a92e1a8c414ee0c8877998a9587b7c8a4be3b9b27b76d874329a87bec5dc On npm install -g @ornexus/neocortex, postinstall.js spawns install.sh or install.ps1 which, by default, runs an installcoderabbit step that fetches...

6.3AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 5:52 p.m.13 views

Malicious code in corelia (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b637971f597ba9572b4cecfab0de4981d19620d585b1958b1bb37b004fae8f The package impersonates the popular pino logger README header 'corelia Pino', homepage https://getpino.io, main file pino.js, npm version badge...

6AI score
Exploits0References2
OSV
OSV
added 2026/05/12 7:43 a.m.8 views

MAL-2026-3690 Malicious code in dlty (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 494f5fbab24a26771e84ce06eea5303b7d1b9135b505a6d93a01c417603f1902 Importing the dlty package triggers an active data-exfiltration channel from the installer to third-party-controlled infrastructure. dlty/init.py...

5.8AI score
Exploits0References2
Packet Storm News
Packet Storm News
added 2026/05/07 12:0 a.m.33 views

On Fixing Insecure AI-Generated Code through Model Fine-Tuning and Prompting Strategies

The security of AI-generated code remains a major obstacle to its widespread adoption. Although code generation models achieve strong performance on functional benchmarks, their outputs frequently contain bugs and security weaknesses that undermine their trustworthiness. Prior work has explored a...

5.9AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/05/01 2:15 p.m.4 views

CVE-2026-43052

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check tdls flag in ieee80211tdlsoper When NL80211TDLSENABLELINK is called, the code only checks if the station exists but not whether it is actually a TDLS station. This allows the operation to proceed for non-TDL...

7.1CVSS5.8AI score0.00117EPSS
Exploits0References9Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.12 views

PT-2026-29489

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.19.0-rc7-next-20260127 Description The Linux kernel contains a flaw within the apparmor subsystem, specifically in the match char macro. This macro incorrectly evaluates its character parameter multiple times...

7.8CVSS6.7AI score0.00177EPSS
Exploits0
Cvelist
Cvelist
added 2026/03/26 8:27 p.m.23 views

CVE-2026-33541 TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. Whil...

6.5CVSS0.00293EPSS
Exploits1References1
CVE
CVE
added 2026/03/26 8:27 p.m.14 views

CVE-2026-33541

CVE-2026-33541 affects TSPortal prior to version 34. A validation logic side effect allowed creation of arbitrary user records in the database, as invalid usernames were supposed to be rejected but a side effect caused records to be created regardless of request success, enabling uncontrolled dat...

6.5CVSS5.8AI score0.00293EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder