MAL-2026-5606 Malicious code in chai-dec (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fbe1098e3267cf9e98fe2591e27b58f87fb44ca8c5475a5fde64fed8c2dd1c3 chai-dec impersonates the chai/pino ecosystem package name rides on chai; package.json keywords and exports — module.exports.pino = middleware —...

Malicious code in chai-dec (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fbe1098e3267cf9e98fe2591e27b58f87fb44ca8c5475a5fde64fed8c2dd1c3 chai-dec impersonates the chai/pino ecosystem package name rides on chai; package.json keywords and exports — module.exports.pino = middleware —...

CVE-2026-41699

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and the classpath contains specifi...

CVE-2026-10795

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

Malicious code in 0x2ai-multi-mq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649 When the documented invocation npx 0x2ai-multi-mq is run, bin/start.cjs copies chatroom-mcp-lite-patched.cjs and chatroom-monitor.cjs into the user's...

Malicious code in 0x2ai-multi-q (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6 Running npx 0x2ai-multi-q the package's documented invocation spawns claude --dangerously-skip-permissions and writes a .mcp.json into the user's...

MAL-2026-5601 Malicious code in 0x2ai-multi-q (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6 Running npx 0x2ai-multi-q the package's documented invocation spawns claude --dangerously-skip-permissions and writes a .mcp.json into the user's...

Exploit for CVE-2025-6440

🧨 CVE-2025-6440 – WooCommerce Designer Pro Unrestricted File Upl...

Exploit for CVE-2026-45034

🧨 PHPSpreadsheet Phar Deserialization Exploit Bypass pro...

rsync: Rsync: Use-after-free vulnerability in extended attribute handling

A flaw was found in rsync. When rsync is configured to handle extended attributes using the -X or --xattrs option, a remote attacker can exploit a use-after-free vulnerability. This occurs because the receivexattr function incorrectly processes an untrusted length value during a sorting operation...

RLSA-2026:24545 Important: libyang security update

Libyang is YANG data modeling language parser and toolkit written and providing API in C. Security Fixes: libyang: libyang: Denial of Service or arbitrary code execution via maliciously crafted LYB binary blob CVE-2026-44673 For more details about the security issues, including the impact, a CVSS...

libyang security update

An update is available for libyang. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Libyang is YANG data modeling language parser and toolkit written and providi...

Exploit for Code Injection in Phpunit_Project Phpunit

CVE-2017-9841 — PHPUnit Remote Code Execution RCE PoC ⚠...

Exploit for Code Injection in Phpunit_Project Phpunit

CVE-2017-9841 — PHPUnit Remote Code Execution RCE PoC ⚠...

EUVD-2026-36215

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

CVE-2026-10795 UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

CVE-2026-10795

UpdraftPlus (WordPress plugin)

Malicious code in vite-tsconfig (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c Package impersonates the popular tsconfig-paths library description: 'Load node modules according to tsconfig paths' but ships a hidden...

MAL-2026-5576 Malicious code in vite-tsconfig (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c Package impersonates the popular tsconfig-paths library description: 'Load node modules according to tsconfig paths' but ships a hidden...

[SECURITY] [DSA 6338-1] libdbi-perl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6338-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 11, 2026 https://www.debian.org/security/faq -...