Lucene search
K

448 matches found

NVD
NVD
added 2026/07/06 4:16 p.m.6 views

CVE-2026-59196

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...

7.1CVSS0.00262EPSS
Exploits1References1
CVE
CVE
added 2026/07/06 3:18 p.m.16 views

CVE-2026-59196

pnpm is vulnerable prior to versions 10.34.4 and 11.7.0 due to a crafted lockfile alias that can be joined under a hoisted node_modules directory, enabling traversal aliases to escape the directory and reserved aliases like .bin or .pnpm to overwrite pnpm-owned layout. The fixed versions are 10.3...

7.1CVSS5.9AI score0.00262EPSS
Exploits1References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/07/06 1:22 p.m.6 views

CVE-2026-50016

A flaw was found in pnpm, a package manager. This vulnerability allows a malicious registry package to include specially crafted dependency aliases that contain path traversal segments. During the installation process, pnpm incorrectly processes these aliases, which can lead to the replacement of...

8.8CVSS6.2AI score0.00326EPSS
Exploits1References4
OSV
OSV
added 2026/07/02 4:58 p.m.3 views

GHSA-P39J-X9H5-Q66M OpenClaw: Embedded runner policy could be confused by provider aliases

Summary Embedded runner policy could be confused by provider aliases. In affected versions, a request using provider aliases could compare policy against an alias instead of the canonical provider identity. This advisory is scoped to the named feature and configuration. It does not change...

4.8CVSS5.9AI score0.00093EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/30 11:20 a.m.7 views

EUVD-2026-40295

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quotechar, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers orderby, where-claus...

9.8CVSS5.8AI score0.0035EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53847

Name of the Vulnerable Software and Affected Versions DBIx::QuickORM versions prior to 0.000026 Description An issue exists where SQL identifiers are emitted verbatim into generated queries without proper quoting or escaping. This occurs because the default SQL builder, a SQL::Abstract subclass,...

9.8CVSS5.8AI score0.0035EPSS
Exploits0References7
OSV
OSV
added 2026/06/26 7:40 p.m.1 views

CVE-2026-53294 mailbox: mailbox-test: don't free the reused channel

In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: don't free the reused channel The RX channel can be aliased to the TX channel if it has a different MMIO. This special case needs to be handled when freeing the channels otherwise a double-free occurs...

7.8CVSS5.8AI score0.00129EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/06/26 7:9 p.m.8 views

CVE-2026-53550

A flaw was found in js-yaml, a JavaScript YAML parser and dumper. A remote attacker can exploit this vulnerability by providing a specially crafted YAML document that repeatedly uses the same alias in a merge sequence. This can lead to algorithmic CPU exhaustion, causing the Node.js worker or eve...

5.3CVSS5.6AI score0.00259EPSS
Exploits1References4
EUVD
EUVD
added 2026/06/25 8:39 a.m.4 views

EUVD-2026-39279

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate the passed in fops for ibgetucaps Sashiko pointed out it is not safe to rely only on the devt because char/block alias so if the user finds a block device with the same devt it can masquerade as a ucap cdev fd...

5.8AI score0.00136EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 2:59 p.m.2 views

CVE-2026-53550 js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...

5.3CVSS6.2AI score0.00259EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/06/22 2:59 p.m.16 views

CVE-2026-53550 js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0 and 3.15.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size an...

5.3CVSS5.8AI score0.00259EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/06/16 7:9 p.m.10 views

Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Summary Deno's network permission model is designed so that --deny-net rules apply to the resolved IP address of a destination, not just the literal string supplied by the caller. That means --deny-net=127.0.0.1 or --deny-net=127.0.0.0/8 is expected to block any attempt to reach loopback,...

6.5CVSS5.5AI score0.00111EPSS
Exploits1References2Affected Software1
Patchstack
Patchstack
added 2026/06/15 5:15 p.m.7 views

NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases vulnerability discovered by ? in WordPress Npm js-yaml versions = 4.1.1...

5.3CVSS5.8AI score0.00259EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/06/13 12:34 a.m.15 views

EUVD-2026-36624

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to execute encoded commands using abbreviated flag aliases not recognized by the allowlist parser. Remote authenticated operators can bypass execution allowlist checks...

8.8CVSS6AI score0.00451EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.18 views

PT-2026-49095

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.5 Description The XML-RPC server implemented in glances/server.py and started with glances -s fails to validate the HTTP Host header. This allows a DNS rebinding attack, where an attacker can bypass the same-origi...

5.3CVSS5.8AI score0.00156EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.26 views

PT-2026-49093

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.5 Description Insecure deserialization occurs in glances/outdated.py because the load cache function uses pickle.load to read a version-check cache file. This file is stored at predictable, world-accessible paths...

7.8CVSS6.5AI score0.00303EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.20 views

PT-2026-49092

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.5 Description The KVM/QEMU monitoring engine in the glances/plugins/vms/engines/virsh.py file fails to sanitize VM domain names retrieved from the virsh list --all output. These names are passed into f-string...

7.8CVSS6.3AI score0.00213EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.9 views

CVE-2026-53836 OpenClaw < 2026.5.12 - Allowlist Bypass via PowerShell Encoded-Command Aliases

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to execute encoded commands using abbreviated flag aliases not recognized by the allowlist parser. Remote authenticated operators can bypass execution allowlist checks...

8.8CVSS6.1AI score0.00451EPSS
Exploits0References2
NVD
NVD
added 2026/06/11 9:16 p.m.14 views

CVE-2026-53809

OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider...

4.8CVSS0.00093EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.12 views

PT-2026-48739

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.25 Description A policy bypass exists in the embedded runner policy. This issue allows requests using provider aliases to be compared against aliases rather than canonical provider identities. When the affecte...

4.8CVSS5.2AI score0.00093EPSS
Exploits0References7
Rows per page
Query Builder