Search 11 security sources in one query

Search NVD, OSV, CISA KEV and KISA — by CVE ID, package name, or keyword.

Recently published CVEs

The most recently published vulnerabilities.

  • Malicious code in ecto-corsair-flag-7kq3mz (npm)

    Risk 0.00OSV
  • Malicious code in module-index-cache (npm)

    Risk 0.00OSV
  • Malicious code in ripshakti (npm)

    Risk 0.00OSV
  • Malicious code in @sudoughnym/enviro-demo (npm)

    Risk 0.00OSV
  • Malicious code in @businessapp-microsites/apis (npm)

    Risk 0.00OSV
  • Malicious code in cursed-modules (npm)

    Risk 0.00OSV

Actively exploited (CISA KEV)

Vulnerabilities confirmed to be exploited in the wild.

  • KEVCRITICAL

    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may

    Risk 7.75NVD · KEV
  • KEVHIGH

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied com

    Risk 7.35OSV · GITHUB_ADVISORY · NVD · KEV
  • KEVHIGH

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a

Top high-risk CVEs (last 7d)

Sorted by risk_score desc, CRITICAL · HIGH only.

  • CRITICAL

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by docker-compose.yml, it is reachable from the Appsmith server process itself or a SSRF vulnerability. An authenticated low-privileged user can therefore drive the SSRF to issue POST /load (or any other admin-API ca

    Risk 6.45NVD
  • CRITICAL

    RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

    Risk 6.15NVD
  • HIGH

    Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/* on the public ingress. Combined with the APPSMITH_SUPERVISOR_PASSWORD exposed via GET /api/v1/admin/env, any authenticated administrator can send arbitrary XML-RPC calls to supervisord and execute OS commands inside the Docker container via twiddle

    Risk 5.95NVD
Search across 11 sources
NVD
OSV
CISA KEV
GitHub Advisory
MITRE CVE
Exploit-DB
RustSec
PyPA
Go Vuln DB
Ruby Advisory
npm Advisory
Composer Advisory
NVD
OSV
CISA KEV
GitHub Advisory
MITRE CVE
Exploit-DB
RustSec
PyPA
Go Vuln DB
Ruby Advisory
npm Advisory
Composer Advisory