Lucene search
K

2669 matches found

OSV
OSV
added yesterday3 views

MAL-2026-10390 Malicious code in timmytuffknuckles9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 342d7a44db99769023685647376a6042d5a9b345c281826484c9d88561f245ca Package is not a Node library — package.json declares main: sw.js, a browser Service Worker whose first line calls importScripts'./8cfc2/hgshm.js'...

6.2AI score
Exploits0References3
OSV
OSV
added yesterday2 views

MAL-2026-10389 Malicious code in timmytuffknuckles6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22ef6fa6c2b9f80d6a1f79e532a9d9ea083a1c662bc834d118879ba630842b0c This package is not a Node.js library. package.json declares "main": "sw.js", a Service Worker that calls importScripts'./8cfc2/hgshm.js' — an API th...

6.2AI score
Exploits0References3
CVE
CVE
added 5 days ago8 views

CVE-2026-59214

Open WebUI (self-hosted AI platform) is affected by a vulnerability described as a stored web worker XSS via Pyodide. Prior to version 0.10.0, the platform runs client-side Python with Pyodide inside a same-origin web worker, which could allow stored chat payloads using pyodide.http.pyfetch or th...

9CVSS6.1AI score0.00285EPSS
Exploits0References1Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago17 views

Malicious code in tslint-conf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31b464b1646f8e2d36ce68a86af599cc49d5381f08af70302ff01f42957234a1 The package presents itself as the pino logger README, index.d.ts, docs/, and lib/ files all reference pinojs/pino but is published under the unrelat...

6.2AI score
Exploits0References2
NVD
NVD
added 6 days ago8 views

CVE-2026-14454

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. ...

9.8CVSS0.00394EPSS
Exploits0References3
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42226

Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed. Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process. ...

6AI score0.00394EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago5 views

PT-2026-56397

Name of the Vulnerable Software and Affected Versions Imager versions prior to 1.033 Description Imager for Perl incorrectly treats unsigned EXIF IFD Image File Directory entry counts as signed. When processing large entry count values, the software interprets them as negative numbers, which can...

9.8CVSS6.1AI score0.00394EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-56618

Name of the Vulnerable Software and Affected Versions davenardella snap7 versions prior to 1.4.4 Description A flaw in the ReadVar Request Handler component allows for deserialization. The issue resides in the TS7Worker::PerformFunctionRead function within the src/core/s7 server.cpp file...

6.3CVSS6.6AI score0.00285EPSS
Exploits0References9
OSV
OSV
added 2026/07/07 4:3 p.m.7 views

PYSEC-2026-1192 arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...

6.5CVSS6.1AI score0.00281EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/06 9:54 a.m.6 views

EUVD-2026-41869

Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket...

8.1CVSS6.1AI score0.01058EPSS
Exploits1References2
CVE
CVE
added 2026/07/06 9:54 a.m.18 views

CVE-2026-49297

Apache Airflow Google provider contains a path traversal flaw in GCSToSFTPOperator and GCSTimeSpanFileTransformOperator: GCS object names from bucket listings are joined to a destination path without normalisation or containment checks. A user with write access to a source GCS bucket could create...

8.1CVSS6.1AI score0.01058EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/07/02 5:35 a.m.40 views

CVE-2026-13704 GiveWP <= 4.16.1 - Authenticated (Give Worker+) Stored Cross-Site Scripting via Sequioa Form

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoiaintroductionimage' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00235EPSS
Exploits0References9
CVE
CVE
added 2026/07/02 5:35 a.m.17 views

CVE-2026-13704

Summary: CVE-2026-13704 affects the GiveWP – Donation Plugin and Fundraising Platform for WordPress. The vulnerability is a Stored Cross‑Site Scripting issue exploitable via the parameter sequoia[introduction][image] and exists in all versions up to and including 4.16.1 due to insufficient input ...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References9
EUVD
EUVD
added 2026/07/02 5:35 a.m.9 views

EUVD-2026-41251

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoiaintroductionimage' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/07/02 5:35 a.m.8 views

CVE-2026-13704

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoiaintroductionimage' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS5.9AI score0.00235EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2026/07/01 5:31 p.m.13 views

Important: Red Hat Security Advisory: Satellite 6.18.7 Async Update

A new release is now available for Red Hat Satellite 6.18 for RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

8.8CVSS6.8AI score0.00671EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/30 6:33 p.m.16 views

EUVD-2026-31975

obanweb missing authorization check on save-job event handler...

5.3CVSS5.8AI score0.0041EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/25 8:4 p.m.4 views

CVE-2026-55388

A flaw was found in piscina, a Node.js worker pool implementation. This vulnerability allows an attacker to achieve arbitrary code execution by exploiting a prototype pollution issue. By manipulating the filename option, an attacker can cause their malicious code to be executed within the worker,...

8.1CVSS6.4AI score0.00296EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 7:40 p.m.39 views

CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

9.6CVSS0.0037EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/06/23 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-54264

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, an...

8.3CVSS6AI score0.00226EPSS
Exploits0References3
Rows per page
Query Builder