ASB-A-447135012

In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

Malicious code in dc-mobx (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df9e2dd1e6518d1399b40b444e58b1df6e1b73c5b7537390ba5950221b7835c0 The package dc-mobx was found to contain malicious code. Source: ghsa-malware 7ed4c54f4caa51eaa254af92038fe2e076f7dbe16e0067d481d9aa89925e3ec4 Any...

MAL-2026-1081 Malicious code in marionette-react-view (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbf2cb3282bede4d5ddc03ed4c435fefa92ad5b6b18f51f7d7980578ec3bcf60 The package marionette-react-view was found to contain malicious code. Source: ghsa-malware...

MAL-2026-1063 Malicious code in cicd-ppe-redteam-test01 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5ff0b643e9e96817244b6499fdbcfd26b6c26cf366980909a6461e4c15b389fd Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-1061 Malicious code in newman-reporter-genuinepoc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9c199e603c75858879d1b49354696a66128d31c3160e22c6c2b105e146235fd The package newman-reporter-genuinepoc was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-1055 Malicious code in jslint-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11f2fdea43a54f2aac247e06fcc46c506979a5b1ccb5d178077662e61f747b74 The package jslint-config was found to contain malicious code. Source: ghsa-malware bddd0b74c730da3b118b7ef92befbc93b4b1379cc23ce7535e843151a84ae957...

Malicious StripeApi NuGet Package Mimicked Official Library and Stole API Tokens

Cybersecurity researchers have disclosed details of a new malicious package discovered on the NuGet Gallery, impersonating a library from financial services firm Stripe in an attempt to target the financial sector. The package, codenamed StripeApi.Net, attempts to masquerade as Stripe.net, a...

Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access

A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller formerly vSmart and Catalyst SD-WAN Manager formerly vManage has come under active exploitation in the wild as part of malicious activity that dates back to 2023. The vulnerability, tracked as CVE-2026-20127 CVSS...

MAL-2026-1038 Malicious code in promanage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 34866a6d91e495c7692a123d4f1b31f1a98cf793744c4649f92eccf97d43ee9b The package promanage was found to contain malicious code. Source: ghsa-malware 55e3f919d2876892f9e686ad04eb2e38c1f5fdb1e3d93f39fc306563d9a4fa18 Any...

CVE-2026-3105

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated...

EUVD-2026-8548

Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting...

GHSA-R5J5-Q42H-FC93 Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting

Summary This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validate...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection in the ORDER BY parameter supplied to the getTimelineResults function via the Contact Activity timeline API endpoint. Remediation Upgrade mautic/core-lib to version 5.2.10, 6.0.8, 7.0.1 or higher. References - GitHub Commi...

Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting

Summary This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validate...

CISA Confirms Active Exploitation of FileZen CVE-2026-25108 Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Tuesday added a recently disclosed vulnerability in FileZen to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-25108 CVSS v4 score: 8.7, is a case of...

CVE-2026-3105

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated...

CVE-2026-3105

CVE-2026-3105 — Mautic is affected by a SQL injection vulnerability in the API endpoint that retrieves Contact Activity data. The root cause is improper validation of the sort direction parameter in the query construction for the Contact Activity timeline, allowing an authenticated user to inject...

CVE-2026-3105 SQL Injection in Contact Activity API Sorting

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated...

CVE-2026-3105

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated...

CVE-2026-3105 SQL Injection in Contact Activity API Sorting

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated...