159 matches found
EUVD-2026-32646
When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBinLoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not prese...
MAL-2026-4527 Malicious code in clawpro-diagnostics-metrics-cls (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d176cad00849132cb8df7ca53ac064e1980cea09bfe9b25836a78b4719b08ea The package's dist/index.js contains hardcoded HTTP POST calls targeting http://metadata.tencentyun.com along with reads of process.platform and...
Malicious code in @budetzz/libsignal-node (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2dbcccc761971dfc5f844f59f362fe32ee1e0b9a3cd91ddd4fc87be5c8b013a The package is published under the name @budetzz/libsignal-node, impersonating the well-known libsignal Signal-protocol library, but the homepage and...
CVE-2026-43999
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...
CVE-2026-43999
CVE-2026-43999 affects vm2’s NodeVM when the builtins allowlist is configured with a wildcard that includes the module builtin. Prior to version 3.11.0, the module builtin can bypass vm2’s allowlist via Module._load, because vm2 exposes the host’s Module object through a readonly proxy that still...
CVE-2026-43999 vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...
CVE-2026-43999 vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...
Deserialization of Untrusted Data
Overview lightning is a Deep Learning framework to train, deploy, and ship AI products Lightning fast. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the LightningModule.loadfromcheckpoint function. Any workflow that calls this function on an untrusted...
NPM: vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
NPM: vm2 has a NodeVM builtin allowlist bypass via module builtin's Module.load that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...
GHSA-947F-4V7F-X2V8 vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Summary NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed co...
Astra Linux - уязвимость в linux-5.10
In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix memory leak in ubifssysfsinit When insmod ubifs.ko, a kmemleak reported as below: unreferenced object 0xffff88817fb1a780 size 8: comm "insmod", pid 25265, jiffies 4295239702 age 100.130s hex dump first 8 bytes: 75 62 6...
Astra Linux - уязвимость в linux-5.15
In the Linux kernel, the following vulnerabilities have been resolved: scsi: qla2xxx: Fixed a crash that occurred during module load/unload tests. During purex packet handling, the driver incorrectly freed a pre-allocated structure. This issue was fixed by skipping that entry. The system crashed...
Astra Linux - уязвимость в linux-5.15, linux, linux-5.10
In the Linux kernel, the following vulnerability has been resolved: orangefs: The issue in kmemleak in orangefspreparedebugfshelpstring has been fixed. When inserting or removing the orangefs module, the debughelpstring variable may be leaked: - Unreferenced object: 0xffff8881652ba000 size 4096 -...
Astra Linux - уязвимость в linux-5.15, linux, linux-5.10
In the Linux kernel, the following vulnerability has been resolved: testfirmware: fixed a memory leak in testfirmwareinit. When miscregister failed in testfirmwareinit, the memory pointed to by testfwconfig-name was not released. The memory leak information is as follows: Unreferenced object...
Astra Linux - уязвимость в thunderbird, firefox
Module load requests that failed were not checked to determine whether they had been cancelled, resulting in a use-after-free in ScriptLoadContext. This vulnerability affects Firefox 110, Thunderbird 102.8, and Firefox ESR 102.8...
EUVD-2026-18805
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is...
MiracleLinux 8 : nodejs:18 (AXSA:2023-6466:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-6466:01 advisory. nodejs: Permissions policies can be bypassed via Module.load CVE-2023-32002 nodejs-semver: Regular expression denial of service CVE-2022-25883 nodej...
PT-2025-53117
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw in the configfs create dir function that can lead to a memory leak. The issue arises from an incorrect reference count within the configfs make dirent...
nodejs:18 security, bug fix, and enhancement update
An update is available for nodejs-packaging, module.nodejs-nodemon, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...
RLSA-2023:5362 Important: nodejs:18 security, bug fix, and enhancement update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 18. BZ2234409 Security Fixes: nodejs: Permissions policies can be bypassed via...