CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 2026/04/30 12:2 a.m.•5 views

Malicious code in robase-dnb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 24da23c2c626baf8f3c35e8c5000506cdadb4d8129d0e4350b262a0e3922d8c7 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

ATTACKERKB•added 2026/04/30 12:0 a.m.•6 views

CVE-2026-36766

Multiple authenticated cross-site scripting XSS vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream or getReader functions...

5.4CVSS5.3AI score0.00138EPSS

Positive Technologies•added 2026/04/30 12:0 a.m.•3 views

PT-2026-36156

5.4CVSS5.3AI score0.00138EPSS

OSSF Malicious Packages•added 2026/04/29 11:31 p.m.•2 views

Malicious code in rblx-http (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0078ee9b9f6221ab242c9f2442f86670e320a5058c306590b5e5b458066e414 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

OSSF Malicious Packages•added 2026/04/29 11:24 p.m.•10 views

Malicious code in rblx-https (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4b7d7435a6bcfd1a9437108a21af9ca6be7c60aa1e0c6e9e90a40ac43b26cf67 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

OSV•added 2026/04/29 11:24 p.m.•4 views

MAL-2026-3191 Malicious code in rblx-https (PyPI)

5.8AI score

OSSF Malicious Packages•added 2026/04/29 11:10 p.m.•4 views

Malicious code in ro-db (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2bd23f786275f7f9939deab001c8b06daaba21ad7dcb861fd6bb9cdd2e3d830c During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

RedhatCVE•added 2026/04/29 8:48 p.m.•4 views

CVE-2026-42427

OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGOBUILDRUSTCWRAPPER, RUSTCWRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and...

5.8CVSS6.5AI score0.00188EPSS

OSV•added 2026/04/29 8:22 p.m.•2 views

GHSA-Q4Q6-R8WH-5CGH PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

The usage of isfile, used to verify if the $filename is indeed an actual file, by all? Reader implementations inside the helper function File::assertFile is php-wrapper aware, for any php wrappers implementing stat. The 3 wrappers ftp://, phar:// and ssh2.sftp://, all satisfy this requirement - 2...

9.2CVSS5.8AI score0.00712EPSS

Exploits1References4

Github Security Blog•added 2026/04/29 8:22 p.m.•6 views

PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled

9.8CVSS5.7AI score0.00712EPSS

Exploits1References4Affected Software1

OSV•added 2026/04/29 3:30 p.m.•6 views

GHSA-F8H4-46XV-H7JJ Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file

Jenkins HTML Publisher Plugin versoins 427 and earlier do not escape the job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 427.1 escapes job name and URL when...

8CVSS5.9AI score0.00281EPSS

Github Security Blog•added 2026/04/29 3:30 p.m.•10 views

Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file

8CVSS5.9AI score0.00281EPSS

Exploits0References3Affected Software1

OSSF Malicious Packages•added 2026/04/29 2:0 p.m.•7 views

Malicious code in secrets-manager-wrapper (npm)

Dependency confusion and typosquatting campaign by threat actor "saif777". Packages use inflated version numbers 9999.9999.9999, 9999.9999.10000, 50.50.50, 7.66.5 to win version resolution in environments with private registries. All active packages execute a postinstall hook "node index.js" that...

5.9AI score

OSV•added 2026/04/29 2:0 p.m.•2 views

MAL-2026-3195 Malicious code in secrets-manager-wrapper (npm)

5.9AI score

Vulnrichment•added 2026/04/29 1:31 p.m.•4 views

CVE-2026-42524

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

4.8AI score0.00281EPSS