net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

MAL-2026-5614 Malicious code in janus-erc20 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 728f3d5af5a999be016a49283fff2c5cedc0c5df445d2f078f1f9817dde22334 On npm install, postinstall.js harvests installer secrets and POSTs them to 193.203.169.109:8443/c/janus-erc20 over HTTPS with TLS verification...

MAL-2026-5556 Malicious code in janus-flow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1 On npm install, the package's postinstall hook node postinstall.js 2/dev/null || true silently runs a credential harvester against the installer...

EUVD-2026-36057

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl inettlsdist module allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inettlsdist:checkip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead...

MAL-2026-5462 Malicious code in @rockawayx/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab @rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node...

Malicious code in exodus-solana-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ecffe98bff5e1c4655631cf8f92b1b1ccb534e0eeaa7043fab0d5fa1fbfabc35 Package name impersonates the Exodus cryptocurrency wallet brand exodus-solana-sdk. package.json declares a postinstall hook node src/canary.js that...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in ip-address-9.0.5.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in ip-address-9.0.5.tgz Vulnerability Details CVEID:CVE-2026-42338 DESCRIPTION: ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not...

Malicious code in @demica/shared (npm)

Note: This report is updated by a verification record Dep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall canary.js beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy c913;...

Malicious code in @demica/resources (npm)

Note: This report is updated by a verification record Dep-confusion squat of internal @demica/resources at sentinel high version 99.99.100 + auto-exec postinstall canary.js beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy c913;...

USN-8406-1 libnet-cidr-lite-perl vulnerabilities

Dave Rolsky discovered that Net::CIDR::Lite did not properly handle extraneous zero characters at the beginning of an IP address string. A remote attacker could possibly use this issue to bypass access controls that are based on IP addresses. This issue only affected Ubuntu 16.04 LTS and Ubuntu...

Western Digital MyCloud NAS - Authentication Bypass

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the...

CVE-2026-45179

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured for example, by sending UDP packets to a host on another network, then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no...

CVE-2026-8346

A vulnerability was detected in D-Link DIR-816 1.10CNB05R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ipaddress results in command injection. The attack can be initiated remotely. The exploit is now public and may be used...

CVE-2026-8345

A security vulnerability has been detected in D-Link DIR-816 1.10CNB05R1B011D88210. Affected by this issue is the function sub445E7C of the file /goform/singlePortForward. Such manipulation of the argument ipaddress leads to command injection. It is possible to launch the attack remotely. The...

CVE-2026-1516

GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content...

CVE-2025-13605

3onedata modbus gateway device model GW1101-1DRS-485-TB-P hardware version V2.2.0 allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware...

CVE-2026-44195

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockouthandler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword...

EUVD-2026-34876

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /ssh/tunnel/connect endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields endpointIP, endpointUsername,...

CVE-2026-49941

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit...

CVE-2026-49941 Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit...