Lucene search
+L

20882 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago10 views

Malicious code in ai-pro-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b035f137addcf0118c3d042ece322d0fdde054e4ed283317d3b2adb309e38689 [email protected] is advertised as a Vercel AI SDK provider for Claude via the Claude Agent SDK, but the published tarball ships no code: package.json...

6.1AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago7 views

Malicious code in eth-lib-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13895e2e8ee4aa9683c2fd6f0f873a38b19bbc5af207233e22c51668bc7dba41 Package [email protected] impersonates @ethereumjs/util / ethereumjs-util README, author list, repository URL, and source tree copied from the...

6.1AI score
Exploits0References4
The Hacker News
The Hacker News
added 2026/07/10 4:29 p.m.10 views

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/[email protected] , came embedded wi...

6.1AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/09 4:19 p.m.11 views

Malicious code in cookie-parser-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c6c2bd7c1b5b363e72753401f6edebf816965a625227e6523210e4620ce9bb8a cookie-parser-js impersonates the widely used cookie-parser package: it copies TJ Holowaychuk / Doug Wilson author metadata, the description, the...

6.6AI score
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/09 3:38 p.m.10 views

Malicious code in nodemon-gulp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 18cfb051ae84a8ed00bba3ae1eaf7720ec6479a402ae0540c6d66a7fa304f52a Package is published as nodemon-gulp but its contents are a verbatim copy of the upstream nodemon project: package.json declares author: Remy Sharp,...

6.1AI score
Exploits0References4
OSV
OSV
added 2026/07/08 8:16 p.m.4 views

UBUNTU-CVE-2026-58501

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbidexternal is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fix...

5.9CVSS6.1AI score0.00252EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/08 7:33 p.m.32 views

CVE-2026-59948 Composer: Arbitrary file write outside vendor via malicious transitive package name

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project...

7CVSS0.00132EPSS
Exploits0References5
CVE
CVE
added 2026/07/08 7:33 p.m.12 views

CVE-2026-59948

CVE-2026-59948 affects Composer (PHP dependency manager). A malicious package from an untrusted repo (not Packagist.org/Private Packagist) with an invalid name could cause install/update to write attacker-controlled files outside the vendor directory and project. Root cause: failure to validate t...

7CVSS6AI score0.00132EPSS
Exploits0References5
OSV
OSV
added 2026/07/08 7:33 p.m.5 views

CVE-2026-59948 Composer: Arbitrary file write outside vendor via malicious transitive package name

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project...

7CVSS6.1AI score0.00132EPSS
Exploits0References7
CVE
CVE
added 2026/07/08 7:31 p.m.8 views

CVE-2026-58501

Zeep (Python SOAP client) is affected in versions 4.0.0 through before 4.3.3, where Settings.forbid_external is defined but not enforced during WSDL/XSD parsing. This allows transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker‑controlled HTTP/HTTPS ...

5.9CVSS6AI score0.00252EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/07/06 12:0 a.m.6 views

pnpm < 10.34.0 / 11.x < 11.4.0 Multiple Vulnerabilities

The version of pnpm installed on the remote host is prior to 10.34.0, or 11.x prior to 11.4.0. It is, therefore, affected by multiple vulnerabilities: - pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses tha...

8.8CVSS6.2AI score0.00326EPSS
Exploits2References4
RedhatCVE
RedhatCVE
added 2026/06/30 2:51 p.m.7 views

CVE-2026-13149

A flaw was found in brace-expansion. An attacker can exploit a vulnerability in the expand function by providing a specially crafted string. This string, containing consecutive non-expanding brace groups, can trigger exponential-time complexity, leading to significant CPU consumption and event-lo...

8.7CVSS5.8AI score0.00361EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/30 12:0 a.m.8 views

Malicious code in thirdwb (npm)

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...

6AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/29 11:50 a.m.9 views

coati-payroll (>=1.0.1 <=1.10.0), now-lms (>=1.0.3 <=1.2.3) +1 more potentially affected by CVE-2026-27641 via flask-reuploaded (>=1.2.0 <=1.4.0)

flask-reuploaded PYPI version =1.2.0, =1.0.1, =1.0.3, =4.6.1, =5.0.0 Source cves: CVE-2026-27641 Source advisory: OSV:PYSEC-2026-341...

9.8CVSS5.7AI score0.01046EPSS
Exploits1
EUVD
EUVD
added 2026/06/26 10:55 p.m.9 views

EUVD-2026-39494

pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement...

8.8CVSS5.8AI score0.00326EPSS
Exploits1References2
NVD
NVD
added 2026/06/25 6:16 p.m.11 views

CVE-2026-50016

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

8.8CVSS0.00326EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:53 p.m.5 views

CVE-2026-50016

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

8.8CVSS5.9AI score0.00326EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/25 4:53 p.m.33 views

CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

8.8CVSS0.00326EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 4:53 p.m.26 views

CVE-2026-50016

pnpm (the package manager) is affected by CVE-2026-50016. Before versions 10.34.0 and 11.4.0, a transitive dependency alias from registry metadata could include path traversal segments. During install, pnpm may treat that alias as a filesystem path when linking dependency nodes, allowing a regist...

8.8CVSS5.9AI score0.00326EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/06/25 4:53 p.m.4 views

CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...

8.8CVSS6AI score0.00326EPSS
Exploits1References3
Rows per page
Query Builder