31126 matches found
CVE-2026-11534
A vulnerability was detected in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch...
MAL-2026-5462 Malicious code in @rockawayx/utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...
CVE-2026-36819
Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted HTTP request...
CVE-2026-36822
Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the macAddr parameter of the formDelStaState function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted HTTP request...
CVE-2026-47106 Ellucian Banner Self-Service Stored XSS via getFacultyMeetingTimes API
Ellucian Banner Self-Service before the April T2 release 2025-04-23 contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the QUIC server when address validation is disabled. An attacker can crash the server by sending an initial packet with an invalid or expired token. Address validation is enabled by default, so this is...
EUVD-2026-35635
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write...
EUVD-2026-35481
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial ...
MAL-2026-5442 Malicious code in exodus-solana-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ecffe98bff5e1c4655631cf8f92b1b1ccb534e0eeaa7043fab0d5fa1fbfabc35 Package name impersonates the Exodus cryptocurrency wallet brand exodus-solana-sdk. package.json declares a postinstall hook node src/canary.js that...
Malicious code in exodus-solana-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ecffe98bff5e1c4655631cf8f92b1b1ccb534e0eeaa7043fab0d5fa1fbfabc35 Package name impersonates the Exodus cryptocurrency wallet brand exodus-solana-sdk. package.json declares a postinstall hook node src/canary.js that...
MAL-2026-5441 Malicious code in exodus-secure-container (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 92bc77b12251baa18392bd90e84d6bdc57aaef9a8c774f8cb29a0066e80f76b5 On npm install, the package runs node src/canary.js as a postinstall hook. That script performs a DNS lookup and HTTPS GET to the hardcoded host...
MAL-2026-5418 Malicious code in @nstrlabs/api-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9 @nstrlabs/[email protected] is a hollow package whose only behavior is an install-time exfiltration beacon. package.json declares "preinstall": "node...
MAL-2026-5419 Malicious code in @nstrlabs/auth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 608be3457e7c809e60c1b76b9406489652f0ef708bfb97db2b6e0bb92b6836c2 On npm install, the package's preinstall hook node index.js || true, declared in package.json automatically collects host identifiers — os.hostname,...
MAL-2026-5411 Malicious code in @klapp-about/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875 On npm install, the package's preinstall hook node index.js collects host and user identity data — os.hostname, os.userInfo.username, dirname,...
MAL-2026-5413 Malicious code in @klapp-login-platform/native-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b3bc8633d15b44abc90074d3362fd9399f53d10a88e24264caee9d924a72bb6 On npm install, the package's preinstall lifecycle hook runs node index.js, which collects installer-side identifiers — os.hostname,...
CVE-2026-42764
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial ...
ALPINE-CVE-2026-42764
Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial ...
Malicious code in ac_calendar_ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63 On npm install, the package's canary.js postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's os.hostname, packa...
Malicious code in ac_semantic-ui_ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d package.json declares a postinstall hook that runs canary.js, which issues an HTTP GET to bare IP 157.230.17.236 on port 80 with query parameters...
CVE-2026-42771 Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email()
Issue summary: When the X509VERIFYPARAMset1email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the...