CVE-2026-10070

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...

PT-2026-44921

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...

Malicious code in web3-helpers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8d6102ae402b2583a01da47e71f41cccba99fb7826dcf360004d8924557e1760 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

Malicious code in math-array-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1b6411ce9c35210436bef6dadb284e5d89ec85c2cc17f970509aa4b5f30c2440 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

MAL-2026-3701 Malicious code in api-request-helpers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c8e8b70ac4deca30691d583ac6891034222b7458bf5ba9e7b86cf5e6627d8abb During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

MAL-2026-3700 Malicious code in alembic-util (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8e9b764ee0ccd6a2c6c2db1b7722f083ee9f643cb99d03821d5e6571f68db253 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

Arbitrary Command Injection

Overview ssh-mcp is a MCP server exposing SSH control for Linux and Windows systems via Model Context Protocol. Affected versions of this package are vulnerable to Arbitrary Command Injection via the shell.write function. An attacker can execute arbitrary system commands by supplying crafted inpu...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the response file processing due to a dangling pointer to freed memory being stored in the global dependfile and later dereferenced after the response-file buffer is freed. An attacker can cause data corruption or...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview fast-filesystem-mcp is a Fast Filesystem MCP Server - Advanced file operations with Auto-Chunking, Sequential Reading, complex file operations copy, move, delete, batch, compress, optimized for Claude Desktop Affected versions of this package are vulnerable to Improper Neutralization of...

PT-2026-28215

Hi guys! Recently I got this email from [email protected]. I read through the email and spotted a few grammatical errors, as well as a share.google link, which I thought was unusual for Microsoft to do. Even though it was fully delivered and signed by GitHub.com, I realised that what the...

CVE-2026-20719

Mattermost contains a DoS vulnerability (CVE-2026-20719) in rendering external SVGs within link embeds. Affected versions are Mattermost 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, and 10.11.x

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the FunctionPushPop. An attacker can cause excessive resource consumption and application instability by triggering deep or infinite recursion through crafted input to the affected process. Remediation There is...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the chaiscript::TypeInfo::bareequal function. An attacker can cause a program crash or potentially execute arbitrary code by triggering use of memory after it has been freed. Remediation There is no fixed version for...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the oneflow.logicalor function. An attacker can cause the application to crash by submitting specially crafted input. Remediation There is no fixed version for oneflow. References - GitHub Issue Credit: Daisy2ang...

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the arange function. An attacker can cause the application to become unresponsive or crash by submitting specially crafted input. Remediation There is no fixed version for oneflow...

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the flow.cuda.BoolTensor component when processing crafted input. An attacker can cause the application to crash or become unresponsive by submitting specially crafted data...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the flow.columnstack component. An attacker can cause the application to crash by submitting specially crafted input. Remediation There is no fixed version for oneflow. References - GitHub Issue Credit: Daisy2ang...

Division by zero

Overview Affected versions of this package are vulnerable to Division by zero in the flow.floordivide function. An attacker can cause the application to crash or become unresponsive by providing a specially crafted input tensor containing a zero value. Remediation There is no fixed version for...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the ParseMustBeSegmentNzNc function when processing large input containing many commas. An attacker can cause excessive stack consumption and application crash by supplying specially crafted input. Remediation...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation via the flow.eyen function. An attacker can trigger a segmentation fault by adding a Python sequence to the native code. PoC python import oneflow as flow diag = 1.0, 2.0, 3.0 tensor = flow.eye3 + diag...