CVE-2026-35585 File Browser has a Command Injection via Hook Runner

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 until 2.33.8, the hook system in File Browser — which executes administrator-defined shell commands on file events such as upload, rename, and delete...

CVE-2026-35515

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

CVE-2026-35515 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.18, SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and ...

CVE-2026-35515

NestJS/core (@nestjs/core) contains a vulnerability in SseStream._transform() where un sanitized interpolation of upstream data into SSE output allows an attacker to inject arbitrary SSE events, spoof event types, and corrupt reconnection state. The issue arises from inserting message.type and me...

CVE-2025-54328

creationtimestamp| type| source ---|---|--- 2026-04-07 06:02:36+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3miv45ttzr425 2026-04-07 08:06:44+00:00| seen| https://bsky.app/profile/yazoul-alerts.bsky.social/post/3mivd3t5d2m2o 2026-04-08 08:07:19+00:00| seen|...

PT-2026-30904

Name of the Vulnerable Software and Affected Versions File Browser versions 2.0.0 through 2.63.1 Description File Browser, a file managing interface, has an issue in its hook system. This system executes administrator-defined shell commands on file events upload, rename, delete. Variable...

PT-2026-31020

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A...

PT-2026-31048

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle module converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for...

nest 注入漏洞

Nest is a Node.js framework developed by NestJS, aimed at building efficient, scalable, and enterprise-level server-side applications using TypeScript/JavaScript. Prior to version 11.1.18, Nest had an injection vulnerability. This vulnerability stemmed from the SseStream.transform function, which...

CVE-2026-35174

creationtimestamp| type| source ---|---|--- 2026-04-06 18:26:29+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mitvb3h7og2h 2026-04-06 19:29:44+00:00| seen| Telegram/RmP7l-K41x9UoCBscD5W8eizA4yDJaPJqAKKOeWwXNyu-8 2026-04-06 19:30:39+00:00| seen|...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview @nestjs/core is a Nest - modern, fast, powerful node.js web framework @core Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the SseStream.transform function. An attacker can inject...

@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...

GHSA-36XV-JGW5-4Q75 @nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')

Impact What kind of vulnerability is it? Who is impacted? SseStream.transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters \r, \n. Since the SSE protocol treats both \r and \n as field delimiters and \n\n as...

RHSA-2025:7458

creationtimestamp| type| source ---|---|--- 2026-04-06 15:19:47+00:00| seen| Telegram/zfToAAWf8eWnJ7ba07A0EZZiZLhP55gYdeGjYzJA6KMcCw 2026-04-06 15:20:12+00:00| seen| Telegram/0sUuWW8J84hCZb1n0MF5lAvDyk6dii4XfiqOlA0c3Bj-PlY 2026-04-06 15:20:35+00:00| seen|...

RHSA-2025:3976

creationtimestamp| type| source ---|---|--- 2026-04-06 15:19:47+00:00| seen| Telegram/zfToAAWf8eWnJ7ba07A0EZZiZLhP55gYdeGjYzJA6KMcCw 2026-04-06 15:20:12+00:00| seen| Telegram/0sUuWW8J84hCZb1n0MF5lAvDyk6dii4XfiqOlA0c3Bj-PlY 2026-04-06 15:20:35+00:00| seen|...

PT-2026-30760

Impact What kind of vulnerability is it? Who is impacted? SseStream. transform interpolates message.type and message.id directly into Server-Sent Events text protocol output without sanitizing newline characters r, . Since the SSE protocol treats both r and as field delimiters and as event...

CVE-2024-44286

This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. An attacker with physical access can input keyboard events to apps running on a locked device...

EUVD-2026-18675

In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86pmuenable A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP:...

CVE-2026-23440

CVE-2026-23440 is a Linux kernel vulnerability in the net/mlx5e IPSec ESN update path. A race condition could cause the ESN wrap event to be processed twice: after validating the event, the driver updates the kernel xfrm state and the lock is temporarily released, risking incorrect ESN high-order...