CVE-2026-8134 Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable file...

CVE-2026-8467

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

Malicious code in chai-as-vite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b7096b7b983ae63f8e59f9e047440547c9536f6c4c9da0ac46909b91a9d4e10e The package masquerades as a pino-style logger exports module.exports.pino = middleware, keywords fast,logger,stream,json, lib filenames proto.js,...

MAL-2026-4514 Malicious code in chai-as-vite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b7096b7b983ae63f8e59f9e047440547c9536f6c4c9da0ac46909b91a9d4e10e The package masquerades as a pino-style logger exports module.exports.pino = middleware, keywords fast,logger,stream,json, lib filenames proto.js,...

Dompdf RCE via Malicious Font Caching (CVE-2022-28368)

This module exploits CVE-2022-28368, a Remote Code Execution vulnerability in dompdf versions prior to 1.2.1. The vulnerability exists because dompdf preserves the original file extension when caching fonts downloaded via CSS @font-face rules. By pointing a @font-face src to a .php file containin...

rgui-3.4.4-seh-bof-exploit

Exploração de Buffer Overflow SEH Overwrite no RGui 3.4.4...

[SECURITY] [DSA 6288-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6288-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 21, 2026 https://www.debian.org/security/faq -...

Malicious code in chai-as-tuned (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7e00f81e117716cfd7fd3565cf8b04073cd494a6da2c23749669133806a7473 Package name chai-as-tuned impersonates chai-as-promised and ships a README copy-pasted from the unrelated pino project npm/CI badges point at...

MAL-2026-4513 Malicious code in chai-as-tuned (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7e00f81e117716cfd7fd3565cf8b04073cd494a6da2c23749669133806a7473 Package name chai-as-tuned impersonates chai-as-promised and ships a README copy-pasted from the unrelated pino project npm/CI badges point at...

Improper Validation of Integrity Check Value

Overview sagemaker is an Open source library for training and deploying models on Amazon SageMaker. Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the Triton inference handler. An attacker can execute arbitrary code with the SageMaker execution...

GHSA-M549-QQ94-FVHG LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

Summary lmdeploy hardcodes trustremotecode=True in multiple HuggingFace model-loading call sites. The affected code paths are in: text lmdeploy/archs.py lmdeploy/utils.py The vulnerable call sites pass trustremotecode=True into HuggingFace Transformers APIs such as AutoConfig.frompretrained,...

MAL-2026-4421 Malicious code in @pulse-web-platform-core/scripts-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c69fc52eb76aa05711ea0c128624eb1fc8c70655a58f2f3e646da1dcd20f254 On npm install, the package's preinstall.js performs an HTTP GET to http://$pkg.$scope.oob.moika.tech/poc.js and passes the response body directly to...

RLSA-2026:7383 Critical: cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more. Security Fixes: cockpit: ws: be more explicit when handling hostnames on cli...

cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

An update is available for cockpit. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Cockpit enables users to administer GNU/Linux servers using a web browser. It...

RLSA-2026:7384 Critical: cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more. Security Fixes: cockpit: ws: be more explicit when handling hostnames on cli...

CVE-2026-25244

A flaw was found in WebdriverIO. A remote attacker can exploit a command injection vulnerability by crafting a malicious Git repository with a specially named branch. This branch name, containing shell metacharacters, is unsafely processed during test orchestration. This allows for remote code...

Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Summary IBM Application Performance Management is vulnerable to denial of service, remote code execution, information disclosures and other vulnerabilities due to bundled product IBM ® Db2. This bulletin identifies the steps to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-361...

Azure Virtual Network Gateway Remote Code Execution Vulnerability

Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network...

Microsoft Power Pages Remote Code Execution Vulnerability

Improper neutralization of special elements used in a command 'command injection' in Microsoft Power Pages allows an unauthorized attacker to execute code over a network...

Azure Orbital Spatio Remote Code Execution Vulnerability

Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network...