Access of Resource Using Incompatible Type ('Type Confusion')

Overview org.webjars.npm:handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the compile function. An attacker can execute arbitrary code by supplying a crafted Abstract...

GHSA-2W6W-674Q-4C4Q Handlebars.js has JavaScript Injection via AST Type Confusion

Summary Handlebars.compile accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile can therefore inject and...

EUVD-2026-16848

Handlebars.js has JavaScript Injection via AST Type Confusion...

Detecting Data Poisoning in Code Generation LLMs Via Black-Box, Vulnerability-Oriented Scanning

Code generation large language models LLMs are increasingly integrated into modern software development workflows. Recent work has shown that these models are vulnerable to backdoor and poisoning attacks that induce the generation of insecure code, yet effective defenses remain limited. Existing...

CLSA-2026-1772039226 golang: Fix of 2 CVEs

CVE-2025-61726: limit parsed URL query parameters to mitigate excessive memory consumption during form parsing - CVE-2025-61732: prevent cgo code smuggling by removing user-controlled content from documentation strings in generated ASTs...

GHSA-MXHJ-88FX-4PCV Fickling: OBJ opcode call invisibility bypasses all safety checks

Assessment The interpreter so it behaves closer to CPython when dealing with OBJ, NEWOBJ, and NEWOBJEX opcodes https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a. Original report Summary All 5 of fickling's safety interfaces -- islikelysafe, checksafety, CLI...

PT-2026-21404

A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check and merge special rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name:...

Detecting PowerShell-Based Fileless Cryptojacking Attacks Using Machine Learning

With the emergence of remote code execution RCE vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-bas...

Regular Expression Denial of Service (ReDoS)

Overview minimatch is a minimal matching utility. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the AST class, caused by catastrophic backtracking when an input string contains many characters in a row, followed by an unmatched character. Detail...

CVE-2026-25533

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar...

PoC-Analyzer

PoC Analyzer Proof-of-Concept Malicious Intent Detector !P...

EUVD-2022-1041

Malicious code in bioql PyPI...

CodeQL zero to hero part 5: Debugging queries

When you're first getting started with CodeQL, you may find yourself in a situation where a query doesn't return the results you expect. Debugging these queries can be tricky, because CodeQL is a Prolog-like language with an evaluation model that's quite different from mainstream languages like...

VerilogLAVD: LLM-Aided Rule Generation for Vulnerability Detection in Verilog

Timely detection of hardware vulnerabilities during the early design stage is critical for reducing remediation costs. Existing early detection techniques often require specialized security expertise, limiting their usability. Recent efforts have explored the use of large language models LLMs for...

Breaking Obfuscation: Cluster-Aware Graph with LLM-Aided Recovery for Malicious JavaScript Detection

With the rapid expansion of web-based applications and cloud services, malicious JavaScript code continues to pose significant threats to user privacy, system integrity, and enterprise security. But, detecting such threats remains challenging due to sophisticated code obfuscation techniques and...

github.com/expr-lang/expr: Memory Exhaustion in Expr Parser with Unrestricted Input

A flaw was found in Expr. This vulnerability allows excessive memory usage and potential out-of-memory OOM crashes via unbounded input strings, where a malicious or inadvertent large expression can cause the parser to construct an extremely large Abstract Syntax Tree AST, consuming excessive memo...

H2O 资源管理错误漏洞

H2O is an in-memory platform for distributed, scalable machine learning open-sourced by H2O.ai. A resource management error vulnerability exists in H2O version 3.46.0.1, which stems from the runtool command exposing classes in the water.tools package via the ast parser, which could lead to a deni...

Memory Exhaustion in Expr Parser with Unrestricted Input

Impact If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree AST node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression c...

CVE-2025-29786

A flaw was found in Expr. This vulnerability allows excessive memory usage and potential out-of-memory OOM crashes via unbounded input strings, where a malicious or inadvertent large expression can cause the parser to construct an extremely large Abstract Syntax Tree AST, consuming excessive...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parseExpression function in parser.go, due to the unrestricted size of input strings, which can cause the generation of large Abstract Syntax Trees ASTs. An attacker can crash...