4756 matches found
CVE-2026-55180
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...
MagicMirror <= 2.35.0 - Server-Side Request Forgery
An unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment...
OwnCloud - Phpinfo Configuration
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment phpinfo. This information...
Vendure - Arbitrary File Read
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...
GHSA-PRJ9-97MP-MWH2 OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering
Description The filterToDefinedArgumentsOnly function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with ot to bypass this filter. While two system arguments...
CVE-2026-48721 Warp: Env-var prefixes can lead to denylisted command autoexecution
Warp is an agentic development environment. From 0.2025.10.08.08.12.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety...
Malicious code in gunicorm (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab Package name gunicorm is a single-character edit of the widely-used gunicorn WSGI server and ships no functional code beyond setup.py. setup.py...
MAL-2026-6383 Malicious code in gunicorm (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab Package name gunicorm is a single-character edit of the widely-used gunicorn WSGI server and ships no functional code beyond setup.py. setup.py...
MAL-2026-6381 Malicious code in ditenv (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a52dbba9abeff2c606bcbc862027da259fcbd3938c827abfdbdb06ba801ecb setup.py overrides the install and egginfo commands with a RunCommand class that fires unconditionally on pip install or pip download. The override...
Malicious code in ditenv (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a52dbba9abeff2c606bcbc862027da259fcbd3938c827abfdbdb06ba801ecb setup.py overrides the install and egginfo commands with a RunCommand class that fires unconditionally on pip install or pip download. The override...
Malicious code in fkaks (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3 fkaks 0.0.1 ships a setup.py that overrides the install and egginfo commands so that any pip install or pip download of the package unconditionally...
MAL-2026-6382 Malicious code in fkaks (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3 fkaks 0.0.1 ships a setup.py that overrides the install and egginfo commands so that any pip install or pip download of the package unconditionally...
PT-2026-52182
Name of the Vulnerable Software and Affected Versions OliveTin affected versions not specified Description The filterToDefinedArgumentsOnly function in the executor fails to properly restrict arguments, allowing any argument starting with the ot prefix to bypass input filtering. While the system ...
Malicious code in toorc (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d On pip install and even pip download, the package's setup.py overrides the install and egginfo commands to execute a RunCommand routine that serializ...
MAL-2026-6290 Malicious code in toorc (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d On pip install and even pip download, the package's setup.py overrides the install and egginfo commands to execute a RunCommand routine that serializ...
Malicious code in equest (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094 The package name equest is a one-character deletion of the widely-used requests package and ships no functional library code. setup.py registers cust...
MAL-2026-6289 Malicious code in equest (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094 The package name equest is a one-character deletion of the widely-used requests package and ships no functional library code. setup.py registers cust...
MAL-2026-6280 Malicious code in ip-rotat (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3 On pip install or pip download, setup.py registers overridden install and egginfo cmdclass entries that execute ps -elf to capture the host's process...
Malicious code in ip-rotat (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3 On pip install or pip download, setup.py registers overridden install and egginfo cmdclass entries that execute ps -elf to capture the host's process...
Malicious code in d0rk3r-telemetry (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da4542d225ef144ecc5df2f578104ffc12659196c57b2214ecb54f60620601c6 On import d0rk3rtelemetry, the package spawns a background thread that reads installer-owned secrets and POSTs them to an attacker-controlled endpoin...