Malicious code in @fairwords/loopback-connector-es (npm)

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+...

MAL-2026-2507 Malicious code in @fairwords/loopback-connector-es (npm)

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+...

Malicious code in @fairwords/websocket (npm)

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variabl...

MAL-2026-2508 Malicious code in @fairwords/websocket (npm)

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variabl...

kernel: Kernel: Double free vulnerability in exFAT filesystem can lead to denial of service

A flaw was found in the Linux kernel's exFAT filesystem driver. A local attacker with low privileges could exploit a double free vulnerability within the delayedfree function. This memory corruption flaw can lead to a denial of service DoS, potentially causing system instability or crashes. It ma...

ROS-20260408-73-0006

A vulnerability in the fs/f2fs component of the Linux operating system kernel is related to a buffer overflow on the stack. Exploitation of the vulnerability allows an attacker to cause a denial of service...

PT-2026-31461

The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can...

PT-2026-31462

The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped key parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APF...

ROS-20260408-73-0015

A vulnerability in the fs component of the Linux operating system kernel is related to file descriptor depletion. Exploitation of the vulnerability allows an attacker to cause a denial of service...

ROS-20260408-73-0011

A vulnerability in the fs/jfs component of the Linux operating system kernel is related to incomplete clearing of temporary or auxiliary resources. Exploitation of the vulnerability allows an attacker to gain access to confidential data, compromise its integrity, and cause a denial of service...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006763)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006763 advisory. In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bhread helper There's issue as follows: BUG: KASAN:...

ROS-20260408-73-0007

A vulnerability in the fs/ntfs3/file.c component of the Linux kernel is related to mutual blocking of execution threads. Exploitation of the vulnerability allows an attacker to cause a denial of service...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006651)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006651 advisory. In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the...

CVE-2026-34079 Flatpak affected by arbitrary file deletion on the host filesystem

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on t...

CVE-2026-34079

Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on t...

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via improper handling of metadata tags in the exiftool process. An attacker can manipulate files on the filesystem, such as renaming, moving, or creating hard or symbolic links to arbitrary paths, b...

Information Exposure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Information Exposure via the connect process. An attacker can obtain sensitive host filesystem paths and deployment metadata by making authenticated requests as a non-admin client...

OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

Summary Before OpenClaw 2026.4.2, the Gateway connect success snapshot exposed local configPath and stateDir metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role. Impact A non-admin client...

CVE-2026-35487

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...

Improper Link Resolution

kubevirt.io/kubevirt is vulnerable to improper link resolution. The vulnerability is due to lack of verification of whether the launcher-sock is a symlink or regular file, which allows an attacker with control over the virt-launcher pod file system to manipulate file ownership on the host and...