Malicious code in @thebros/create-benjamin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53fb816939bb505cdabc374418983428298b09a29e5789033943301642b8b156 The package tarball ships a .env file containing a live-looking OpenAI API key OPENAIAPIKEY=sk-proj-.... The CLI entry point bin/index.js calls impor...

Malicious code in kurumi-fca (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f90450e6ca1502bf6287d945c37c4c64f59e624a4269ab8e07600a9db5e755d0 kurumi-fca is a Facebook Chat API library whose advertised purpose is to listen to Messenger events for the caller. Two undisclosed behaviors make it...

Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 CVSS score: 10.0, the vulnerability arises from insufficient validation and authentication when...

MAL-2026-4363 Malicious code in @asura21232/fca-unofficial-nextgen (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2 This package presents itself as an unofficial Facebook Messenger client library, but its exported authentication helpers loginViaAPI, tokensViaAPI,...

Malicious code in @asura21232/fca-unofficial-nextgen (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30540a72a722c901403164aeb090ca99999d3be2cc4d9e9f3ad99ef319fc2db2 This package presents itself as an unofficial Facebook Messenger client library, but its exported authentication helpers loginViaAPI, tokensViaAPI,...

Linux Distros Unpatched Vulnerability : CVE-2026-41888

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the...

Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Vulnerabilities exist in versions of Mattermost 11.6.0 and earlier 11.6.x series, as well as versions prior to 11.5.3 11.5.x series, 11.4.4 and earlier 11.4.x series, and 10.11.14 and earlier 10.11.x...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.16.0 and earlier contained a security vulnerability. This vulnerability stemmed from the WhatsApp Cloud API webhook endpoint not verifying the x-hub-signature-256 HMAC signature, allowing unauthenticate...

Unity Linux 20.1070e Security Update: hibernate (UTSA-2026-016690)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016690 advisory. A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit...

Linux Distros Unpatched Vulnerability : CVE-2026-28376

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to...

PT-2026-42785

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through...

PT-2026-42790

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions Server 2025.3.20.0 and...

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via the allowedroutes field during API key generation. An attacker can gain unauthorized access to restricted routes by specifying routes outside...

MAL-2026-4755 Malicious code in mathepy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 268eeb8db2d704a5b34b2007a25477fdd9f2de3525462f3dd78192aa5d2f95a1 Package metadata advertises mathepy as a 'Module for Quick Calculations', but the package's importable init.py exposes 13 top-level functions askllm,...

MAL-2026-4749 Malicious code in fakehuop (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 677eed2b8b2630ec8e88b29d7ae3d9d49fc0d0c18230cc51b24d8102cdb151ee Every advertised function in this package askllm, pink, america, iran, momo, abc, bcd, code, sf, liti, koko, init, dropnull, hellp, lc instantiates a...

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

CVE-2026-7887

Summary: CVE-2026-7887 affects Concrete CMS 9.5.0 and earlier. The OAuth 2.0 Authorization-Code Handler does not enforce account status, allowing a user with uIsActive=0 (suspended/banned/terminated) to authenticate and obtain API tokens. What’s affected: Concrete CMS versions prior to 9.5.1 (per...

CVE-2026-47101

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...