MAL-2026-5615 Malicious code in sysau (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b2cf08a271605de33b2c202bb8a5a6689251e9a4711a628a88c57ebf0ec4f07 On install/load, index.js auto-runs a bootstrap that silently installs Python 3.12 via winget, falling back to a /quiet curl of python-3.12.3-amd64.e...

CVE-2026-48110

Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could se...

Amazon Linux 2 : vorbis-tools, --advisory ALAS2-2026-3349 (ALAS-2026-3349)

The version of vorbis-tools installed on the remote host is prior to 1.4.0-13. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3349 advisory. A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package in function...

Improper Resource Shutdown or Release

Overview dask is a Parallel PyData with Task Scheduling Affected versions of this package are vulnerable to Improper Resource Shutdown or Release through the computehllarray function in the HLL Handler component. An attacker can cause excessive resource consumption by remotely invoking this...

CVE-2026-10173 Orthanc Explorer 2 URL StudyList.vue cross site scripting

A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to...

CVE-2026-34253

A flaw was found in the ogg123 utility of the vorbis-tools package. This buffer underflow vulnerability occurs in the remote control functionality when processing malformed input. A remote attacker could exploit this to cause application crashes and potentially achieve arbitrary code execution...

CVE-2026-43894

A flaw was found in jq, a tool used for processing JSON data from the command line. A remote attacker can exploit a vulnerability by providing a specially crafted large number as input. This can cause an internal calculation error, leading to a memory overflow where the attacker can write their o...

CVE-2026-32686

The issue CVE-2026-32686 affects the Elixir/Erlang decimal library (ericmj decimal): parsing an unbounded exponent (e.g., 1e1000000000) can lead to memory growth when performing arithmetic, conversion, or comparison, causing out-of-memory crashes. Impacted operations include Decimal.add/2, Decima...

Astra Linux – Vulnerability in Linux, Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: misc/libmasm/module: Two use-after-free operations in ibmasminitone have been fixed. In ibmasminitone, it calls ibmasminitremoteinputdev. Inside ibmasminitremoteinputdev, mousedev and keybddev are allocated by inputallocatedevice...

Arbitrary Command Injection

Overview metagpt is a The Multi-Agent Framework Affected versions of this package are vulnerable to Arbitrary Command Injection via the getmimetype function. An attacker can execute arbitrary operating system commands by supplying crafted input remotely. Remediation A fix was pushed into the mast...

Arbitrary Code Injection

Overview gpt-researcher is a GPT Researcher is an autonomous agent designed for comprehensive web research on any task Affected versions of this package are vulnerable to Arbitrary Code Injection in the extractcommanddata function of the /ws endpoint. An attacker can execute arbitrary code by...

CVE-2026-35466 Stored XSS via unsanitized input from remote service

XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services...

CVE-2026-35466

CVE-2026-35466 describes a stored XSS in cveInterface.js caused by unsanitized input from remote CVE API services. Multiple sources (NVD, Red Hat, ENISA, CIRCL, CVE List, ATT&CK references) reiterate the vulnerability, with the NVD metrics showing MEDIUM severity (CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:...

CVE-2026-3234

A flaw was found in modproxycluster. This vulnerability, a Carriage Return Line Feed CRLF injection in the decodeenc function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoin...

CVE-2025-66555 AirKeyboard iOS App 1.0.5 - Remote Input Injection

AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control...

CVE-2025-66555 AirKeyboard iOS App 1.0.5 - Remote Input Injection

AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control...

EUVD-2025-201279

AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control...

CVE-2025-66555

AirKeyboard iOS App 1.0.5 is vulnerable due to missing authentication, enabling unauthenticated remote keystroke injection in real time and full input control on the victim device. Root cause: lack of authentication; impact includes arbitrary input and potential data exposure. Exploitation detail...

kernel: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

A flaw out of boundary read in the Linux kernel NFS functionality was found in the way connected user sends malicious data to the server. A remote user could use this flaw to crash the system...

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989772)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-989772 advisory. In the Linux kernel, the following vulnerability has been resolved: misc/libmasm/module: Fix two use after free in ibmasminitone In ibmasminitone, it calls...