CVEs classified under CWE-506, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (42)
CVE-2026-28353: Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version 1.8.12, which was…
CVE-2024-3094 — CVSS 10.0 (critical): Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the…
CVE-2026-44484 — CVSS 9.8 (critical): PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality…
CVE-2026-6443 — CVSS 9.8 (critical): All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being…
CVE-2026-34424 — CVSS 9.8 (critical): Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised…
CVE-2026-31976 — CVSS 9.8 (critical): xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a…
CVE-2026-45758 — CVSS 9.6 (critical): Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker…
CVE-2025-10894 — CVSS 9.6 (critical): Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm…
CVE-2018-25117: VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain…
CVE-2017-20202: Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script…
CVE-2017-20201: CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from…
CVE-2025-59039: Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Npm users of PUC 1.17.3 or PUC latest were briefly affected…
CVE-2025-32965: xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and…
CVE-2020-15165 — CVSS 9.3 (critical): Version 1.1.6-free of Chameleon Mini Live Debugger on Google Play Store may have had it's sources or permissions tampered by a malicious…
CVE-2023-2003 — CVSS 9.1 (critical): Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to…
CVE-2025-59145: color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing…
CVE-2025-59331: is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over…
CVE-2025-59330: error-ex allows error subclassing and stack customization. On 8 September 2025, an npm publishing account for error-ex was taken over after…
CVE-2025-59162: color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account for color-convert…
CVE-2025-59144: debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack…
CVE-2025-59143: color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for color was taken over…
CVE-2025-59142: color-string is a parser and generator for CSS color strings. On 8 September 2025, the npm publishing account for color-string was taken…
CVE-2025-59141: simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a…
CVE-2025-59140: backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a…
CVE-2025-59038: Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been…
CVE-2025-59037: DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was…
CVE-2017-16046 — CVSS 7.5 (high): `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVE-2017-16207 — CVSS 7.3 (high): discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin.
CVE-2024-10938 — CVSS 6.5 (medium): The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the…
CVE-2025-55556 — CVSS 6.5 (medium): TensorFlow v2.18.0 was discovered to output random results when compiling Embedding, leading to unexpected behavior in the application.
CVE-2025-8217 — CVSS 4.0 (medium): The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI…
CVE-2021-22887 — CVSS 2.3 (low): A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS…