4773 matches found
EUVD-2026-40453
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree AST security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module...
CVE-2026-56777
The CVE affects n8n self‑hosted instances running Python Task Runner with the Python Code node. Versions affected: before 2.25.7 and before 2.26.2. Issue: AST security validator bypass in Python Code node allows an authenticated user with workflow modification rights to bypass the validator and a...
CVE-2026-57231
A flaw was found in Podman, a tool for managing OCI containers and pods. A malicious container image can be crafted with an environment variable that has a key but no value, or an asterisk , to trick Podman. This vulnerability causes Podman to pass host environment variables into the container...
MagicMirror <= 2.35.0 - Server-Side Request Forgery
An unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment...
MAL-2026-6572 Malicious code in rebrandly-domains-digger (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d1744d2a299b9ef0526f49b4b2297fcd6c72581c51a3359801db56318d8cfda The package declares a preinstall hook that runs node callback.js. On npm install, callback.js collects installer-side identifiers — os.hostname,...
MAL-2026-6573 Malicious code in rebrandly-domains-search-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d4464320c8530d582d35f85ce95045182d82e1dd63a830644bcb68f05bdf10e Package [email protected] is an empty module index.js exports an empty object whose package.json preinstall hook runs node...
Linux Distros Unpatched Vulnerability : CVE-2026-57231
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no val...
Vendure - Arbitrary File Read
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...
OwnCloud - Phpinfo Configuration
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment phpinfo. This information...
CVE-2026-57231
Podman is a tool for managing OCI containers and pods. From 1.8.1 until 5.8.4, a container image that contains a environment variable with just a key and no value can trick podman into passing that variable from the host into the container. This is made worse by the fact that using an asterisk wi...
CVE-2026-57231
CVE-2026-57231 affects Podman versions 1.8.1 through 5.8.4, where a container image with an Env entry having only a key (and using the * wildcard) can cause host environment variables to be leaked into the container at run time. The PTSecurity document confirms the issue is addressed in Podman 5....
Malicious code in gx-npm-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e Package published at version 99.99.99 under a generic name gx-npm-lib — the canonical dependency-confusion shape used to overshadow internal packages...
Malicious code in gx-npm-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb Package published at version 99.99.99 under the gx-npm- namespace, a shape designed to win npm version resolution against private internal packages o...
MAL-2026-6481 Malicious code in gx-npm-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb Package published at version 99.99.99 under the gx-npm- namespace, a shape designed to win npm version resolution against private internal packages o...
CVE-2026-55180
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...
MAL-2026-6466 Malicious code in gx-npm-feature-flags (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fcad1b944d9ceb92389673398df9f471911a788fe608774a3298c69900bb1c7 [email protected] is a dependency-confusion squat max-semver 99.99.99 on a gx--prefixed name to outrank a private internal package that...
GHSA-PRJ9-97MP-MWH2 OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering
Description The filterToDefinedArgumentsOnly function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with ot to bypass this filter. While two system arguments...
CVE-2026-48721 Warp: Env-var prefixes can lead to denylisted command autoexecution
Warp is an agentic development environment. From 0.2025.10.08.08.12.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command execution permission-check bypass in the default unsandboxed CLI agent profile. The CLI profile is non-interactive and relies on a command denylist as a safety...
MAL-2026-6383 Malicious code in gunicorm (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab Package name gunicorm is a single-character edit of the widely-used gunicorn WSGI server and ships no functional code beyond setup.py. setup.py...
Malicious code in gunicorm (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab Package name gunicorm is a single-character edit of the widely-used gunicorn WSGI server and ships no functional code beyond setup.py. setup.py...