4456 matches found
PAN-OS - Reflected Cross-Site Scripting
A reflected cross-site scripting XSS vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.The...
Haraj 3.7 - Cross-Site Scripting
Haraj 3.7 contains a cross-site scripting vulnerability in the User Upgrade Form. An attacker can inject malicious script and thus steal authentication credentials and launch other attacks. id: CVE-2022-31299 info: name: Haraj 3.7 - Cross-Site Scripting author: edoardottt severity: medium...
EyouCMS 1.5.4 Open Redirect
EyouCMS 1.5.4 is vulnerable to an Open Redirect vulnerability. An attacker can redirect a user to a malicious url via the Logout function. id: CVE-2021-39501 info: name: EyouCMS 1.5.4 Open Redirect author: 0xAkoko severity: medium description: EyouCMS 1.5.4 is vulnerable to an Open Redirect...
MantisBT < 2.25.2 - Cross-Site Scripting
MantisBT before 2.25.2 contains a cross-site scripting vulnerability in browsersearchplugin.php. The application does not properly sanitize the 'type' parameter, which allows attackers to inject arbitrary web script or HTML via a crafted URL. id: CVE-2022-28508 info: name: MantisBT 2.25.2 -...
Zimbra Collaboration Suite - Memcached Command Injection
Zimbra Collaboration Suite versions 8.8.15 and 9.0 contain a memcached command injection vulnerability that allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance, leading to cache poisoning and potential credential theft. id: CVE-2022-27924 info: name:...
MAL-2026-5805 Malicious code in flowcardano (npm)
flow/surf-lending DeFi cred-exfil campaign sibling c1655. Cardano-themed Sentinel-9.9.9 dependency-confusion squat. preinstall node index.js || true exfils env secrets mnemonic/private-key/token/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2 as...
Malicious code in houzidawang808 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654 The package presents itself as a 'simple date formatting utility' index.js exports a trivial formatDate wrapper around toLocaleDateString, but ships ...
SUSE CVE-2026-48856
Sensitive Data Exposure vulnerability in Erlang OTP inets httpcresponse module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...
CVE-2026-44495
Axios versions from 0.19.0 through before 0.31.1 and 1.15.2 contain prototype-pollution gadgets in request config processing. If another vulnerability has polluted Object.prototype.transformResponse earlier in the same JS process, the polluted value may be treated as request config or an option v...
CVE-2026-44495 Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse,...
CVE-2026-44495 Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse,...
Malicious code in solana-rpc-pool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59e128b9efb48222aac63385175a13c182fc4f832f83576eb80f7777f255048c On npm install, the package's postinstall hook runs install.js which performs four independent attacker-benefit actions. 1 Credential theft: it reads...
MAL-2026-5573 Malicious code in solana-rpc-pool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59e128b9efb48222aac63385175a13c182fc4f832f83576eb80f7777f255048c On npm install, the package's postinstall hook runs install.js which performs four independent attacker-benefit actions. 1 Credential theft: it reads...
Malicious code in solana-web3-community (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12 Package masquerades as the official @solana/web3.js SDK name solana-web3-community, author 'Solana Labs Maintainers ', repository...
MAL-2026-5560 Malicious code in solana-web3-community (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12 Package masquerades as the official @solana/web3.js SDK name solana-web3-community, author 'Solana Labs Maintainers ', repository...
MCP Server Kubernetes 参数注入漏洞
MCP Server Kubernetes is an MCP server for Kubernetes management, developed by Suyog Sonwalkar. Versions of MCP Server Kubernetes prior to 3.7.0 contained a parameter injection vulnerability. This vulnerability stemmed from the kubectl generic tool not performing a whitelist check on the tokens...
MAL-2026-5525 Malicious code in @solana-labs/web3.js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...
CVE-2026-53475
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security TLS connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle MITM attacker to intercept and harvest vCenter administrator credentials. This can lead to...
EEF-CVE-2026-48856 httpc leaks Authorization header to cross-origin redirect targets
Summary Sensitive Data Exposure vulnerability in Erlang OTP inets httpc\response module allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary...
CVE-2026-53475 Assisted-migration-agent: tls verification disabled on all vcenter connections
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security TLS connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle MITM attacker to intercept and harvest vCenter administrator credentials. This can lead to...