MAL-2026-5492 Malicious code in xnder-wrapper-module (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4d68068055d711593139864c52e7ccec4dd81369467be5d9ba6d30d47fd6e507 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Node RED Dashboard <2.26.2 - Local File Inclusion

NodeRED-Dashboard before 2.26.2 is vulnerable to local file inclusion because it allows uibase/js/..%2f directory traversal to read files. id: CVE-2021-3223 info: name: Node RED Dashboard 2.26.2 - Local File Inclusion author: gy741,pikpikcu severity: high description: NodeRED-Dashboard before...

PT-2026-48380

Release: https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09 https://github.com/yt-dlp/yt-dlprelease-files - Github/Documentation: https://github.com/yt-dlp/yt-dlpreadme - PyPI: https://pypi.org/project/yt-dlp - Donate: Maintainers.md Changelog Important changes - The minimum supported...

PT-2026-48379

Release: https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09 https://github.com/yt-dlp/yt-dlprelease-files - Github/Documentation: https://github.com/yt-dlp/yt-dlpreadme - PyPI: https://pypi.org/project/yt-dlp - Donate: Maintainers.md Changelog Important changes - The minimum supported...

PT-2026-48378

Release: https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09 https://github.com/yt-dlp/yt-dlprelease-files - Github/Documentation: https://github.com/yt-dlp/yt-dlpreadme - PyPI: https://pypi.org/project/yt-dlp - Donate: Maintainers.md Changelog Important changes - The minimum supported...

PT-2026-48403

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

Linux Distros Unpatched Vulnerability : CVE-2026-46281

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - vmalloc: fix buffer overflow in vreallocnodealign Commit 4c5d3365882d mm/vmalloc: allow to set node and align in vrealloc added the ability to force a new...

CVE-2026-46543

CVE-2026-46543 (Nimiq blockchain) affects the Rust implementation

CVE-2026-46543 nimiq-blockchain: Genesis batch set request

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls getepochchunks which iterates...

CVE-2026-46541 Nimiq network-libp2p: DHT query poisoning via first-record verification failure

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handledhtget, the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails from a malicious DHT...

CVE-2026-46442

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When...

MAL-2026-5478 Malicious code in mcp-server-git (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...

Malicious code in mcp-server-git (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...

Malicious code in mcp-server-postgres (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6c4d1fa0d6fdf2966637bf91c161f3c063aa675eeca88bd0f9abf002c51070c6 Unscoped package 'mcp-server-postgres' impersonates the official scoped '@modelcontextprotocol/server-postgres'. package.json declares a postinstall...

Malicious code in mcp-server-redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c31b47d009efb7e10d0b41e71923fcfefa90a45895db0ec02bc6c8f1fee1c86 Package squats the unscoped npm name mcp-server-redis commonly invoked via npx mcp-server-redis by MCP/AI tooling looking for the official scoped Red...

MAL-2026-5484 Malicious code in mcp-server-sequential-thinking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 211672c16839ae6cd4e9f10810163da536480f07938b2d51c50ecbbb9f5e90ed Unscoped package impersonating the official @modelcontextprotocol/server-sequential-thinking MCP server. package.json declares postinstall: 'node...

MAL-2026-5477 Malicious code in mcp-server-figma (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20 Package squats the unscoped name mcp-server-figma, which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the...

MAL-2026-5480 Malicious code in mcp-server-notion (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0423928197ec83ac273fa4a1b66d9e75398b956e7d5027014ff6326c552a46c2 Package occupies the unscoped name mcp-server-notion to catch misrouted installs of the scoped MCP Notion server. package.json declares "postinstall"...

MAL-2026-5468 Malicious code in getd-pantallas-cliente (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89a26267435645776aa984be114d5c657e63fa9937ff044e5ddd24943b28ea6e On npm install, postinstall.js collects os.hostname, os.userInfo.username, os.platform, process.cwd, and CI/build environment variables and sends the...

Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...