Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

43 matches found

RedhatCVE
RedhatCVEadded 3 days ago8 views

CVE-2026-36613

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

4.3CVSS5.7AI score0.00012EPSS
Exploits0References1
RedhatCVE
RedhatCVEadded 3 days ago6 views

CVE-2026-44003

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.8CVSS5.5AI score0.00049EPSS
Exploits1References1
EUVD
EUVDadded 5 days ago6 views

EUVD-2026-34152

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

4.3CVSS5.9AI score0.00012EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 5 days ago5 views

CVE-2026-36613

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

5.9AI score0.00012EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 5 days ago4 views

CVE-2026-36613

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers...

4.3CVSS5.9AI score0.00012EPSS
Exploits0References2
NVD
NVDadded 2026/05/13 6:16 p.m.8 views

CVE-2026-44003

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.8CVSS0.00049EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2026/05/13 5:30 p.m.5 views

CVE-2026-44003 vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.3CVSS5.8AI score0.00049EPSS
Exploits1References1
Positive Technologies
Positive Technologiesadded 2026/05/12 12:0 a.m.8 views

PT-2026-40077

Name of the Vulnerable Software and Affected Versions IntelR Processors affected versions not specified Description Shared microarchitectural predictor state that influences transient execution for some processors within VMX non-root guest operation may lead to information disclosure. An...

6.8CVSS5.9AI score0.00017EPSS
Exploits0References4
Snyk
Snykadded 2026/05/08 4:22 p.m.6 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the setupSandboxScript bootstrap in lib/vm.js and lib/setup-sandbox.js. An attacker can read the...

6.9CVSS5.9AI score0.00049EPSS
Exploits1References2
OSV
OSVadded 2026/05/08 4:22 p.m.2 views

GHSA-2CM2-M3W5-GP2F vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

Summary https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched. Details It is still possible to get access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL. PoC js const VM = require"vm2"; const vm = new VM; console.logvm.run...

5.3CVSS5.8AI score
Exploits0References3
Snyk
Snykadded 2026/05/07 4:32 a.m.5 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the transformer fast-path in the source instrumentation logic. An attacker can expose the internal...

6.9CVSS5.9AI score0.00049EPSS
Exploits1References2
OSV
OSVadded 2026/05/07 4:32 a.m.3 views

GHSA-WP5R-2GW5-M7Q7 vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...

5.3CVSS5.8AI score0.00049EPSS
Exploits1References4
Github Security Blog
Github Security Blogadded 2026/05/07 4:32 a.m.11 views

vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...

5.8CVSS5.8AI score0.00049EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologiesadded 2026/05/07 12:0 a.m.8 views

PT-2026-38394

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description A performance optimization in the code transformer skips AST Abstract Syntax Tree analysis when the code does not contain the keywords catch, import, or async. This fast-path bypass allows sandboxed cod...

5.3CVSS5.9AI score0.00049EPSS
Exploits1References6
Veracode
Veracodeadded 2026/05/06 8:26 a.m.6 views

Insecure File Permissions

Claude SDK for TypeScript is vulnerable to insecure file permissions. The vulnerability is due to the BetaLocalFilesystemMemoryTool creating memory files and directories with world-readable and world-writable permissions, where a local attacker on a shared host could read persisted agent state, a...

4.8CVSS5.8AI score0.0001EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/04 6:41 p.m.0 views

CVE-2026-41686

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes...

4.8CVSS5.7AI score0.0001EPSS
Exploits0References2Affected Software1
OSV
OSVadded 2026/04/29 10:28 p.m.2 views

GHSA-P7FG-763F-G4GF Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool

The BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes 0o666 for files, 0o777 for directories, leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask su...

4.8CVSS5.8AI score0.0001EPSS
Exploits0References3
OSV
OSVadded 2026/04/28 12:31 a.m.3 views

GHSA-F5FM-9JMP-C88R Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fh32-73r9-rgh5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing...

6.9CVSS5.8AI score0.00042EPSS
Exploits0References4
NVD
NVDadded 2026/04/28 12:16 a.m.1 views

CVE-2026-41372

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose...

6.9CVSS0.00042EPSS
Exploits0References3
ATTACKERKB
ATTACKERKBadded 2026/04/27 11:24 p.m.0 views

CVE-2026-41372

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose...

6.9CVSS5.3AI score0.00042EPSS
Exploits0References4
Rows per page
Query Builder