3330 matches found
PT-2026-49559
If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...
Malicious code in node-denv (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d node-denv presents itself as a pino-compatible logging middleware index.js exports module.exports.pino = middleware and mimics pino's option shape...
SUSE CVE-2026-44250
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive...
SUSE CVE-2026-44890
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct...
CVE-2026-53827 OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by...
CVE-2026-44786
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus...
CVE-2026-47263 Discourse: Prevent webhook payload disclosure on event redelivery
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /webhookevents/ in Jobs::RedeliverWebHookEvents did not pass groupids, leaving the channel...
CVE-2026-45085 Discourse: Chat misauthorization and information disclosure
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin one also involving discourse-calendar: read-only category users...
CVE-2026-44786
CVE-2026-44786 affects Discourse: versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 allow chat events from public category channels to be published to MessageBus without proper permission scoping, enabling any MessageBus subscr...
EUVD-2026-35401
TYPO3 CMS has Insecure Deserialization via Core API...
CVE-2026-50085 Aqara Board IoT insecure debug API
The Aqara Board service op-test.aqara.com accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS...
EUVD-2026-36475
The Aqara Board service op-test.aqara.com accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS...
Linux Distros Unpatched Vulnerability : CVE-2026-44890
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is a network application framework for development of protocol servers and clients. In netty-codec- redis prior to versions 4.1.135.Final and 4.2.15.Final...
PT-2026-49031
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.2 Description An issue in message.action forwarding allows model-controlled metadata to forward action payloads containing Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept...
CVE-2026-44890
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct...
DEBIAN-CVE-2026-44250
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive...
CVE-2026-53810
OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points...
CVE-2026-44890 Netty has Unbounded Direct Memory Consumption in its RedisDecoder
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct...
CVE-2026-44890
Netty has Unbounded Direct Memory Consumption in its RedisDecoder (CVE-2026-44890). In netty-codec-redis, versions before 4.1.135.Final and 4.2.15.Final allow an attacker to cause a DoS by sending crafted Redis payloads across multiple connections that omit "\r\n", exhausting the server’s direct ...
CVE-2026-44890 Netty has Unbounded Direct Memory Consumption in its RedisDecoder
Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without \r\n. This exhausts the server's direct...