Lucene search
K

637 matches found

Nuclei
Nuclei
added yesterday20 views

NocoBase - VM Sandbox Escape to Remote Code Execution

NocoBase Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist controlled by WORKFLOWSCRIPTMODULES env var. The console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console.stdout and...

9.9CVSS6.3AI score0.36503EPSS
Exploits7References3
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-40285

Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. An attacker that has access to publish or modify entries in LDAP that match the configured searchBase and searchFilter can instantiate denied transports inside the broker JVM. This can be used...

7.5CVSS5.7AI score0.00659EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-53839

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.8 Apache ActiveMQ Broker versions 6.0.0 through 6.2.6 Apache ActiveMQ versions prior to 5.19.8 Apache ActiveMQ versions 6.0.0 through 6.2.6 Apache ActiveMQ All versions prior to 5.19.8 Apache...

7.5CVSS5.9AI score0.00659EPSS
Exploits0References10
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/24 4:13 a.m.6 views

Malicious code in hardhat-test-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor...

6.4AI score
Exploits0References2
CVE
CVE
added 2026/06/23 5:20 p.m.9 views

CVE-2026-49402

Deno is affected by CVE-2026-49402 on Windows when using node:child_process with shell: true. The escapeShellArg() helper failed to properly quote arguments containing cmd.exe metacharacters (e.g., &, |, , ^, !, (, )), and did not neutralize % inside double-quoted strings. This allowed an attacke...

8.1CVSS6.1AI score0.00283EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/06/23 5:20 p.m.33 views

CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...

8.1CVSS0.00283EPSS
Exploits1References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/22 12:0 p.m.11 views

Malicious code in @glitchpad/throttler (npm)

@glitchpad/throttler malicious version 2.2.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

5.9AI score
Exploits0References7
OSV
OSV
added 2026/06/22 12:0 p.m.9 views

MAL-2026-6307 Malicious code in @glitchpad/throttler (npm)

@glitchpad/throttler malicious version 2.2.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

5.9AI score
Exploits0References7
OSV
OSV
added 2026/06/22 12:0 p.m.13 views

MAL-2026-6312 Malicious code in @tinyfox/shapecheck (npm)

@tinyfox/shapecheck malicious version 0.8.7, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

5.9AI score
Exploits0References7
OSV
OSV
added 2026/06/22 12:0 p.m.4 views

MAL-2026-6310 Malicious code in @petitcode/eb-retry (npm)

@petitcode/eb-retry malicious version 1.3.5, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

6AI score
Exploits0References6
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in Linux, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fixed improper pointer dereferencing when the error handler kthread is invalid. The commit 66a834d09293 “scsi: core: Fixed error handling of scsihostalloc” changed the allocation logic to call putdevice to perform hos...

5.5CVSS5.3AI score0.0024EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 11:17 p.m.8 views

CVE-2026-44646

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new...

5.3CVSS0.00271EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/17 10:25 p.m.28 views

CVE-2026-44646 LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new...

5.3CVSS0.00271EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 5:16 p.m.9 views

CVE-2025-71322

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan...

8.8CVSS0.00384EPSS
Exploits0References2
CVE
CVE
added 2026/06/17 3:4 p.m.8 views

CVE-2025-71322

CVE-2025-71322 affects PickleScan prior to 0.0.33, where the unsafe-globals check omits pty.spawn. Attackers can craft pickle payloads using pty.spawn to bypass checks and achieve arbitrary code execution during file processing. The connected records confirm the root cause (missing pty.spawn in u...

8.8CVSS6.1AI score0.00384EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/17 3:4 p.m.16 views

CVE-2025-71322 PickleScan - Unsafe Globals Check Bypass via pty.spawn Function

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan...

8.8CVSS0.00384EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/17 3:4 p.m.7 views

EUVD-2025-210269

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan...

8.8CVSS6AI score0.00384EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 10:20 p.m.7 views

Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/06/16 10:20 p.m.7 views

MAL-2026-5936 Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

6.1AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/16 7:7 p.m.14 views

Deno: Command Injection via spawnSync & spawn on Windows

Summary Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters such as &, |, , ^, !, , , and did not neutralize %...

9.8CVSS5.8AI score0.02213EPSS
Exploits2References2Affected Software1
Rows per page
Query Builder