1394 matches found
MAL-2026-4210 Malicious code in polymarket-auto-trade (npm)
A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev GitHub actor texsellix, repo texsellix/polymarket-trading-bot within a 2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while...
GHSA-M7CR-M3PV-HGRP vulnerabilities
Vulnerabilities for packages: crossplane, k9s, gitsign, nfpm, act, witness, syft, kubescape, xeol, scorecard, grafana-alloy, pulumi-language-dotnet, argo-cd, skaffold, tfsec, dagger, gitea, cerbos, kaniko, guac, wolfictl, grype, zot, argocd-image-updater, pulumi-language-yaml, nuclei, goreleaser,...
GHSA-CRHJ-59GH-8X96 vulnerabilities
Vulnerabilities for packages: crossplane, k9s, gitsign, nfpm, act, witness, syft, kubescape, xeol, scorecard, grafana-alloy, pulumi-language-dotnet, argo-cd, skaffold, tfsec, dagger, gitea, cerbos, kaniko, guac, wolfictl, grype, zot, argocd-image-updater, pulumi-language-yaml, nuclei, goreleaser,...
CVE-2026-45570 vulnerabilities
Vulnerabilities for packages: crossplane, k9s, gitsign, nfpm, act, witness, syft, kubescape, xeol, scorecard, grafana-alloy, pulumi-language-dotnet, argo-cd, skaffold, tfsec, dagger, gitea, cerbos, kaniko, guac, wolfictl, grype, zot, argocd-image-updater, pulumi-language-yaml, nuclei, goreleaser,...
CVE-2026-45571 vulnerabilities
Vulnerabilities for packages: crossplane, k9s, gitsign, nfpm, act, witness, syft, kubescape, xeol, scorecard, grafana-alloy, pulumi-language-dotnet, argo-cd, skaffold, tfsec, dagger, gitea, cerbos, kaniko, guac, wolfictl, grype, zot, argocd-image-updater, pulumi-language-yaml, nuclei, goreleaser,...
GHSA-CRHJ-59GH-8X96 vulnerabilities
Vulnerabilities for packages: src-fingerprint, kots, xeol-fips, dagger, rancher-fleet, flux, gitlab-runner-fips, skaffold-fips, coder, apko-fips, grype-db, argo-workflows-fips, kubevela, k9s, argo-events, trivy-fips, zot, cerbos-fips, crossplane, amazon-ssm-agent-fips, kaniko-fips,...
GHSA-M7CR-M3PV-HGRP vulnerabilities
Vulnerabilities for packages: src-fingerprint, kots, xeol-fips, dagger, rancher-fleet, flux, gitlab-runner-fips, skaffold-fips, coder, apko-fips, grype-db, argo-workflows-fips, kubevela, k9s, argo-events, trivy-fips, zot, cerbos-fips, crossplane, amazon-ssm-agent-fips, kaniko-fips,...
Astra Linux – Vulnerability in WebKit2GTK
A problem related to injections has been addressed through improved validation. This issue is fixed in Safari 17.4, iOS 17.4, iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, and watchOS 10.4. A maliciously crafted webpage may potentially exploit this vulnerability...
Astra Linux – Vulnerability in mc
A issue was discovered in Midnight Commander through version 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user can connect to the server without being able to verify its authenticity...
webkitgtk: A maliciously crafted webpage may be able to fingerprint the user
A flaw was found in WebKitGTK. A maliciously crafted web page can cause an authorization issue due to improper state management and may be able to fingerprint the user...
Malicious code in @solarcraft/observix (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...
libssh: Write beyond bounds in binary to base64 conversion functions
There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to sshgetfingerprinthash function. In such cases the bintobase64 function can experience an integer overflow leading to a memory under allocation, when that happens it's possibl...
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal...
GHSA-MF33-GV72-W2H5 CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal...
Directory Traversal
Overview cloakbrowser is a Stealth Chromium that passes every bot detection test. Drop-in Playwright replacement with source-level fingerprint patches. Affected versions of this package are vulnerable to Directory Traversal via the fingerprint parameter in the cloakserve process. An attacker can...
PT-2026-41798
Name of the Vulnerable Software and Affected Versions CloakBrowser versions prior to 0.3.28 Description The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker...
CVE-2026-44700
Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client active role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in...
CVE-2026-44700 Elixir WebRTC: Missing DTLS peer fingerprint validation in ex_webrtc client-role handshake
Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client active role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in...
CVE-2026-44700
CVE-2026-44700 affects the Elixir WebRTC project (ex_webrtc). Before versions 0.15.1 and 0.16.1, the DTLS fingerprint validation was skipped when the DTLS client acts as the active party during handshake, effectively removing one side of WebRTC’s mutual authentication. This does not by itself ena...
EUVD-2026-30486
Elixir WebRTC is an Elixir implementation of the W3C WebRTC API. Prior to 0.15.1 and 0.16.1, missing DTLS peer certificate fingerprint validation in the DTLS client active role removes one side of WebRTC's mutual authentication. The bug is not independently exploitable for media interception in...