CVE-2026-44009

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2...

CVE-2026-44008

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects...

CVE-2026-44009

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2...

CVE-2026-44008

CVE-2026-44008 describes a vm2 sandbox escape in the Node.js vm2 library. Before version 3.11.2, the method neutralizeArraySpeciesBatch could interact with objects from the outside and, via a getter on Array.prototype, expose host objects to the sandbox, allowing an attacker to access the host Fu...

NPM: vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`

NPM: vm2 has access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL vulnerability discovered by ? in WordPress Npm vm2 versions 3.11.2...

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection via the handleException function and the sandbox-side globalPromise.prototype.then wrapper in lib/setup-sandbox.js. An...

NPM: vm2 has Sandbox Breakout Through Null Proto Exception

NPM: vm2 has Sandbox Breakout Through Null Proto Exception vulnerability discovered by ? in WordPress Npm vm2 versions 3.11.2...

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection despite the recently introduced neutralizeArraySpeciesBatch helper in lib/bridge.js. An attacker can execute arbitrary code ...

postfix-3.11.2-1.1 on GA media (moderate)

postfix-3.11.2-1.1 on GA media Announcement ID: openSUSE-SU-2026:10707-1 Rating: moderate Cross-References: CVE-2026-43964 CVSS scores: CVE-2026-43964 SUSE : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-43964 SUSE : 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N...

OPENSUSE-SU-2026:10707-1 postfix-3.11.2-1.1 on GA media

These are all security issues fixed in the postfix-3.11.2-1.1 package on the GA media of openSUSE Tumbleweed...

PT-2026-38524

These are all security issues fixed in the postfix-3.11.2-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2026:10607-1 golang-github-prometheus-prometheus-3.11.2-1.1 on GA media

These are all security issues fixed in the golang-github-prometheus-prometheus-3.11.2-1.1 package on the GA media of openSUSE Tumbleweed...

Linux Distros Unpatched Vulnerability : CVE-2026-40179

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting...

SUSE CVE-2026-40179

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

CVE-2026-40179

CVE-2026-40179 is a stored XSS in Prometheus web UI. Versions 3.0–3.5.1 and 3.6.0–3.11.1 allow metric names/label values to be injected into innerHTML without escaping, affecting Mantine UI and the old React UI. Attackers who can influence metrics (via compromised scrape target, remote write, or ...

CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

GHSA-CVHH-Q5G5-QPRP Keras framework vulnerable to deserialization of untrusted data

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being...

UBUNTU-CVE-2025-49655

Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being...

EUVD-2021-32605

Malicious code in bioql PyPI...

CVE-2025-3193

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the merge function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is...