Lucene search
K

1616 matches found

CVE
CVE
added yesterday12 views

CVE-2026-13323

Open VSX Registry before 1.0.2 is affected by a vulnerability in the /vscode/unpkg/ endpoint that serves user-supplied HTML with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition header. An unauthenticated attacker can create a publisher account, upload a VSIX c...

4.1CVSS5.8AI score
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-40945

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS5.8AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 6 days ago10 views

Disc Soft DAEMON Tools Lite 12.5.0.2421 - 12.5.0.2434 Embedded Malicious Code (CVE-2026-8398)

The version of Disc Soft DAEMON Tools Lite installed on the remote Windows host is between 12.5.0.2421 and 12.5.0.2434 inclusive. It is, therefore, affected by an embedded malicious code vulnerability. - A supply chain attack compromised the official installation packages of DAEMON Tools Lite,...

9.8CVSS6.2AI score0.01456EPSS
Exploits1References4
NVD
NVD
added 2026/06/25 10:16 p.m.10 views

CVE-2025-71340

picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load, enabling supply chain attacks o...

8.1CVSS0.003EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 9:41 p.m.14 views

CVE-2025-71340

CVE-2025-71340 affects the picklescan tool up to version 0.0.26, where malicious pickle files can invoke idlelib.pyshell.ModifiedInterpreter.runcode via reduce , allowing code execution when loaded with pickle.load(). This enables supply‑chain attacks on PyTorch models and saved Python objects. T...

8.1CVSS6.1AI score0.003EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 9:41 p.m.21 views

CVE-2025-71340 picklescan - Remote Code Execution via idlelib.pyshell.ModifiedInterpreter.runcode

picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load, enabling supply chain attacks o...

8.1CVSS0.003EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/25 6:11 p.m.7 views

Malicious code in ts-opus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7 ts-opus 0.0.8 ships an unmodified copy of MikeMcl/big.js README, copyright, and repository URL all reference big.js but injects an additional top-lev...

6AI score
Exploits0References2
OSV
OSV
added 2026/06/25 6:11 p.m.5 views

MAL-2026-6468 Malicious code in ts-opus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7 ts-opus 0.0.8 ships an unmodified copy of MikeMcl/big.js README, copyright, and repository URL all reference big.js but injects an additional top-lev...

6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.9 views

PT-2026-52617

Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.30 Description The software fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode within reduce methods. This allows attackers to embed undetected code in pickle files...

8.1CVSS6AI score0.003EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 5:48 p.m.29 views

CVE-2026-44017 Docling: Unsafe Zip Extraction in EasyOCR Model Download

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.91.0, the EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromi...

7.5CVSS0.00478EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 5:48 p.m.44 views

CVE-2026-44017

CVE-2026-44017 concerns Docling’s EasyOCR model download: prior to 2.91.0, ZIP archives were extracted without validating member paths, enabling Zip Slip path traversal. An attacker who could supply or intercept the model source could overwrite files anywhere writable by the process, potentially ...

8.3CVSS6.7AI score0.00478EPSS
Exploits0References5Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/24 6:26 a.m.9 views

Malicious code in bn-lint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5 Package is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js README, source, version banner v7.0.1, and repo URL all identify as...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/06/24 6:26 a.m.6 views

MAL-2026-6376 Malicious code in bn-lint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5 Package is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js README, source, version banner v7.0.1, and repo URL all identify as...

5.9AI score
Exploits0References2
EUVD
EUVD
added 2026/06/21 1:26 p.m.5 views

EUVD-2025-210291

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils.configmodule.loadconfig function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply...

8.1CVSS6.7AI score0.00397EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-49831

Name of the Vulnerable Software and Affected Versions Real Testimonials Pro affected versions not specified Product Slider Pro for WooCommerce affected versions not specified Smart Post Show Pro affected versions not specified Description A supply chain compromise occurred where attackers...

7.5CVSS6.1AI score0.00387EPSS
Exploits1References14
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 9:3 p.m.10 views

Malicious code in lab-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e On npm install, the package's postinstall hook runs seccheck.js, which enumerates the host's network interfaces and proceeds only if an IPv4 address...

5.3AI score
Exploits0References1
OSV
OSV
added 2026/06/15 5:15 p.m.9 views

MAL-2026-5788 Malicious code in @solana-labs/web3js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b79f799d106eaad2a09af8eac8b3ac64a46966e392ec423461facd26dc958705 This package impersonates the legitimate @solana/web3.js library under a confusable scope @solana-labs/web3js. On npm install, the postinstall hook...

5.8AI score
Exploits0References6
OSV
OSV
added 2026/06/12 8:35 p.m.10 views

MAL-2026-5712 Malicious code in jextic-eclib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707 On npm install, the package's postinstall hook postinstall.js requires index.js, whose top-level scanAndExfiltrate call walks the installer's working...

5.6AI score
Exploits0References1
GithubExploit
GithubExploit
added 2026/06/11 4:39 a.m.55 views

claude-code-f002-poc

F002: Supply Chain Attack via Non-Interactive Workspace Trust...

6AI score
Exploits0
OSV
OSV
added 2026/06/11 2:51 a.m.9 views

MAL-2026-5555 Malicious code in express-timer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683 express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on...

5.7AI score
Exploits0References6
Rows per page
Query Builder