Lucene search
K

193 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago6 views

Malicious code in type-async (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d064750b4e3821d296d538ea749483e3f9cd54299645fc1c895e5c1af3639b5d The package presents itself as pino typosquat; README mirrors pino. The main entry index.js exports a middleware factory that, on invocation, spawns...

6.5AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/07/06 8:46 a.m.4 views

CVE-2026-12252

A flaw was found in the nltk library. Several Stanford interface classes within nltk are susceptible to arbitrary code execution. This vulnerability allows a local attacker to execute malicious code by providing an untrusted Java Archive JAR file, as the system lacks integrity verification for...

7.8CVSS6.4AI score0.00158EPSS
Exploits1References4
PyPA
PyPA
added 2026/07/04 2:16 a.m.3 views

PYSEC-0000-CVE-2026-12252

In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...

7.8CVSS7.7AI score0.00158EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/07/04 12:58 a.m.9 views

EUVD-2026-41656

In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...

10CVSS7.8AI score0.00809EPSS
Exploits4References1
EUVD
EUVD
added 2026/06/26 10:53 p.m.10 views

EUVD-2026-39488

pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field...

6.8CVSS5.8AI score0.00126EPSS
Exploits1References2
OSV
OSV
added 2026/06/17 2:45 p.m.5 views

SUSE-SU-2026:2438-1 Security update for alloy

This update for alloy fixes the following issues Security issues: - CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server to crash a client application via a DataRow message bsc1259919. - CVE-2026-25934: github.com/go-git/go-git/v5:...

9.1CVSS6.5AI score0.01557EPSS
Exploits1References13
OSV
OSV
added 2026/06/03 8:2 p.m.13 views

GHSA-CJQG-RQ2H-2FVJ Docling: Unsafe Zip Extraction in EasyOCR Model Download

Impact In versions 2.91.0, The EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromise the model download source via supply chain attack, DNS spoofing, or MITM, they could write arbitrary files to any...

7.5CVSS6.3AI score0.00478EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.19 views

PT-2026-46119

Name of the Vulnerable Software and Affected Versions EasyOCR versions prior to 2.91.0 Description The model download functionality extracts ZIP archives without validating member paths, which allows for Zip Slip attacks. Zip Slip is a form of path traversal that occurs when an application extrac...

7.5CVSS6.6AI score0.00478EPSS
Exploits0References10
OSV
OSV
added 2026/05/26 12:59 a.m.12 views

MAL-2026-4715 Malicious code in weavedb-base (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 886f22636b5e4726978e23b10a4311fb7e65c2b10003da72429348fa617884d1 package.json declares "preinstall": "./vendor/setup", which runs a 976KB packed Linux x86 ELF binary sha256...

5.8AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 5:23 p.m.16 views

Malicious code in @beyondbday/vibe-terminal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9859c1af428f41ba7f7eb2a1db744705f5644ff2422629d94e3de1ecb59c9405 On every launch of the vibe CLI, dist/vibe.js queries the npm registry for the latest version of @beyondbday/vibe-terminal and, if newer than the...

5.8AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 3:39 p.m.15 views

Malicious code in @polka-ui/loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f93cf8dde7e6a1252424fc82f38e8502a37d9e427d92d412fd8944c91b8ee5a4 On npm install, scripts/postinstall.js downloads a per-OS payload from https://oob.moika.tech/payload/linux|mac|win, writes it to /tmp/.polka-uiinit....

5.8AI score
Exploits0References2
Veracode
Veracode
added 2026/05/23 5:55 a.m.5 views

Improper Integrity Verification

Amazon SageMaker Python SDK is vulnerable to improper integrity verification. The vulnerability is due to missing integrity verification in the Triton inference handler, which allows an authenticated attacker with S3 write access to replace model artifacts with a specially crafted pickle payload...

7.2CVSS6.5AI score0.0039EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 5:56 p.m.16 views

Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler

Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing...

7.2CVSS6.5AI score0.0039EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/05/21 5:56 p.m.8 views

GHSA-RQ6V-X3J8-7QGF Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler

Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing...

7.2CVSS6.5AI score0.0039EPSS
Exploits0References6
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 12:39 a.m.14 views

Malicious code in @mcpassure/mcp-anvisa-bulario (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e846cabb7b5077244737d7a465e944ebe7635db46cc55e7e5736eeda47d30938 dist/bootstrap.js references a hardcoded URL on pub-046c52795b9445cd9f5cc5cb21b9d59f.r2.dev — an anonymous Cloudflare R2 bucket — and calls fetch...

5.9AI score
Exploits0References10
OSV
OSV
added 2026/05/17 9:24 p.m.7 views

OPENSUSE-SU-2026:20809-1 Security update for trivy

This update for trivy fixes the following issues - CVE-2025-64702: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS bsc1255366. - CVE-2025-69725: github.com/go-chi/chi/v5: incorrect input validation in the RedirectSlashes function can lead to an open redirect bsc1258513...

9.8CVSS6.6AI score0.01557EPSS
Exploits1References18
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.10 views

CVE-2026-8597

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle...

7.2CVSS6.2AI score0.0039EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 7:37 p.m.38 views

CVE-2026-8597 Missing integrity verification in Triton inference handler in Amazon SageMaker Python SDK

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle...

7.2CVSS0.0039EPSS
Exploits0References4
OSV
OSV
added 2026/05/14 7:37 p.m.3 views

CVE-2026-8597 Missing integrity verification in Triton inference handler in Amazon SageMaker Python SDK

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle...

6.4CVSS6.5AI score0.0039EPSS
Exploits0References6
CVE
CVE
added 2026/05/14 7:37 p.m.22 views

CVE-2026-8597

CVE-2026-8597 : Missing integrity verification in the Triton inference handler of the Amazon SageMaker Python SDK (v2 before 2.257.2; v3 before 3.8.0) may allow a remote authenticated actor with S3 write access to replace model artifacts in S3 with a crafted pickle payload, enabling code executio...

7.2CVSS6.2AI score0.0039EPSS
Exploits0References4
Rows per page
Query Builder