Malicious code in aurafarmer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0 The package advertises an aurex CLI. Its login flow aurex/main.py around line 108 prompts the user for email and password and POSTs them as JSON to a...

CVE-2026-34216 CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...

CVE-2026-34216 CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...

CVE-2026-34216

CtrlPanel (open-source billing software) has a vulnerability in versions

MAL-2026-4740 Malicious code in zod-to-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 370d1632254cb5b5dbd394992054b6c0e943a6fb758ab70f470c059ee734b9c0 The package is published as 'zod-to-js' but ships a copy of pino's source tree main entry pino.js, lib/proto.js, lib/levels.js, pino docs/README with...

MAL-2026-4501 Malicious code in btd-smart (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199 The package presents itself as a clone of juliangruber/balanced-match stolen author identity 'Julian Gruber ', verbatim README, identical API renamed...

Malicious code in btd-smart (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199 The package presents itself as a clone of juliangruber/balanced-match stolen author identity 'Julian Gruber ', verbatim README, identical API renamed...

APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

Server-side Request Forgery (SSRF)

Overview n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /rest/dynamic-node-parameters/options endpoint. An attacker can redirect responses to a server under their control by sending a specially crafted...

n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass

Impact The POST /rest/dynamic-node-parameters/options endpoint allowed any authenticated user to cause the n8n server to issue HTTP requests including credentials bypassing the intended restrictions on which hosts could be contacted for that credential Allowed HTTP Request Domains. The user neede...

Drupal core 安全漏洞

Drupal Core is a free, open-source content management system developed in PHP by the Drupal community. There are security vulnerabilities in Drupal Core, which stem from improper control of dynamic object attribute determination, potentially leading to object injection attacks. The following...

Taking Cryptography out of the Data Path Via Near-Memory Processing in DRAM

Cryptographic algorithms such as AES-128 and SHA-256 are fundamental to ensuring data security and integrity. Although these algorithms are computationally efficient, their performance is often constrained by the processor-centric architectures e.g., CPUs, GPUs, primarily due to the memory...

CtrlPanel.gg 安全漏洞

CtrlPanel.gg is an open-source hosting service billing management tool developed by CtrlPanel.gg. Versions of CtrlPanel.gg prior to 1.1.1 contained security vulnerabilities. These vulnerabilities stemmed from the management settings update endpoint accepting user-provided class names and using th...

PT-2026-42013

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0 Description An authenticated admin-level user can achieve Remote Code Execution by supplying an arbitrary class name available in the Composer autoloader. The admin settings update endpoint accepts a fully...

Improper Validation of Array Index

Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

GHSA-QJP4-4JVR-XQG3 Spring AI MCP Security: Unvalidated URL Fetching (SSRF)

Summary The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol MCP security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to...

Spring AI MCP Security: Unvalidated URL Fetching (SSRF)

Summary The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol MCP security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to...

MantisBT 1.0.0 < 2.28.2 Dynamic Custom Textarea Field Reflected XSS (GHSA-j7v9-f46r-2rp4)

The version of MantisBT installed on the remote host is 1.0.0 or later but prior to 2.28.2. It is, therefore, affected by a vulnerability: - MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field. CVE-2026-41897 Note that Nessus has not tested for this issue but has...

PT-2026-41691

Name of the Vulnerable Software and Affected Versions mcp-security versions prior to 0.1.9 Description The mcp-security framework fails to implement mandatory Server-Side Request Forgery SSRF mitigations—a flaw where an attacker can induce the server to make requests to an unintended location—as...

PT-2026-42163

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.11.0 through 9.16.50 BIND 9 versions 9.18.0 through 9.18.48 BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.11.3-S1 through 9.16.50-S1 BIND 9 versions 9.18.11-S1 through...