CWE-506
Embedded Malicious Code
The product contains code that appears to be malicious in nature.
CVE-2026-48027 (GCVE-0-2026-48027)
Vulnerability from cvelistv5 – Published: 2026-05-27 15:50 – Updated: 2026-05-28 03:55
VLAI
Title
Compromised Nx Console version 18.95.0
Summary
Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
Severity
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nrwl/nx-console/security/advis… | x_refsource_CONFIRM |
| https://github.com/nrwl/nx-console/issues/3139 | x_refsource_MISC |
| https://nx.dev/blog/nx-console-v18-95-0-postmorte… | x_refsource_MISC |
| https://www.stepsecurity.io/blog/nx-console-vs-co… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nrwl | nx-console |
Affected:
= 18.95.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48027",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:41.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "CVE-2026-48027 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nx-console",
"vendor": "nrwl",
"versions": [
{
"status": "affected",
"version": "= 18.95.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nx Console is the user interface for Nx \u0026 Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:50:01.143Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w"
},
{
"name": "https://github.com/nrwl/nx-console/issues/3139",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nrwl/nx-console/issues/3139"
},
{
"name": "https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise",
"tags": [
"x_refsource_MISC"
],
"url": "https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise"
},
{
"name": "https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised"
}
],
"source": {
"advisory": "GHSA-c9j4-9m59-847w",
"discovery": "UNKNOWN"
},
"title": "Compromised Nx Console version 18.95.0"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48027",
"datePublished": "2026-05-27T15:50:01.143Z",
"dateReserved": "2026-05-20T17:44:09.587Z",
"dateUpdated": "2026-05-28T03:55:41.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6443 (GCVE-0-2026-6443)
Vulnerability from cvelistv5 – Published: 2026-04-17 06:44 – Updated: 2026-04-21 19:53
VLAI
Title
Essentialplugin Plugins (Various Versions) - Injected Backdoor
Summary
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Severity
9.8 (Critical)
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
Impacted products
22 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:49:32.019393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:49:42.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion and Accordion Slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.4.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portfolio and Projects",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.5.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Featured Post Creative",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.5.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Post grid and filter ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.4"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Featured Content and Slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Post Ticker Ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Trending/Popular Post Slider and Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.8.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Meta Slider and Carousel with Lightbox",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.0.8"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Album and Image Gallery Plus Lightbox",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.1.8"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Timeline and History slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.4.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Blog and Widgets",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.6.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Countdown Timer Ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.6.9"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Blog Designer \u2013 Post and Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.7.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Team Slider and Team Grid Showcase plus Team Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.8.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Video gallery and Player",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Popup Maker and Popup Anything \u2013 Popup for opt-ins and Lead Generation Conversions",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.9.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.5.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Responsive Recent Post Slider/Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.7.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Slick Slider and Image Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.7.8.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Logo Showcase Responsive Slider and Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.8.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP responsive FAQ with category plugin",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.9.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP News and Scrolling Widgets",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "5.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eu Joe Chegne"
},
{
"lang": "en",
"type": "finder",
"value": "Damien"
}
],
"descriptions": [
{
"lang": "en",
"value": "All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin\u0027s they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:53:07.705Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"
},
{
"url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T18:38:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-09T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Essentialplugin Plugins (Various Versions) - Injected Backdoor"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6443",
"datePublished": "2026-04-17T06:44:49.128Z",
"dateReserved": "2026-04-16T18:22:16.366Z",
"dateUpdated": "2026-04-21T19:53:07.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8398 (GCVE-0-2026-8398)
Vulnerability from cvelistv5 – Published: 2026-05-15 07:30 – Updated: 2026-05-28 03:55
VLAI
Summary
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Severity
9.8 (Critical)
CWE
- CWE-506 - Embedded Malicious Code
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://securelist.com/tr/daemon-tools-backdoor/119654/ | technical-descriptionthird-party-advisory |
| https://blog.daemon-tools.cc/post/security-incident | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AVB Disc Soft | DAEMON Tools Lite |
Affected:
12.5.0.2421 , < 2.6.0.*
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8398",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-27",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-8398"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:20.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-8398"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "CVE-2026-8398 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "DAEMON Tools Lite",
"vendor": "AVB Disc Soft",
"versions": [
{
"lessThan": "2.6.0.*",
"status": "affected",
"version": "12.5.0.2421",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Igor Kuznetsov (Kaspersky)"
},
{
"lang": "en",
"type": "finder",
"value": "Georgy Kucherin (Kaspersky)"
},
{
"lang": "en",
"type": "finder",
"value": "Leonid Bezvershenko (Kaspersky)"
},
{
"lang": "en",
"type": "finder",
"value": "Anton Kargin (Kaspersky)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor\u0027s (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"cvssV4_0": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T07:30:29.287Z",
"orgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988",
"shortName": "Kaspersky"
},
"references": [
{
"name": "DAEMON Tools software infected \u2013 supply chain attack ongoing since April 8, 2026",
"tags": [
"technical-description",
"third-party-advisory"
],
"url": "https://securelist.com/tr/daemon-tools-backdoor/119654/"
},
{
"name": "Security Incident Affecting DAEMON Tools Lite: What We Know So Far",
"tags": [
"vendor-advisory"
],
"url": "https://blog.daemon-tools.cc/post/security-incident"
}
],
"solutions": [
{
"lang": "en",
"value": "Users of potentially infected application are recommended to uninstall the application, run a full system scan using antivirus software with the latest version of the anti-virus databases, and install the latest version of DAEMON Tools Lite (12.6 or newer) from the official website."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-06T00:00:00.000Z",
"value": "Advisory published by vendor"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988",
"assignerShortName": "Kaspersky",
"cveId": "CVE-2026-8398",
"datePublished": "2026-05-15T07:30:29.287Z",
"dateReserved": "2026-05-12T13:20:16.358Z",
"dateUpdated": "2026-05-28T03:55:20.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Implementation, Operation
Description:
- Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.