Malicious code in theta-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...

CVE-2026-8140 Concrete CMS 9.5.0 and below is vulnerable to CSRF on download() in the package install controller

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

CVE-2026-8140

CVE-2026-8140 affects Concrete CMS 9.5.0 and below. The issue is a CSRF vulnerability in the download() function of concrete/controllers/single_page/dashboard/extend/install.php, which does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The function o...

exploit900

GoldHEN - PS4 Homebrew Enabler...

MAL-2026-2138 Malicious code in open-vp-cal (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ab8c06b5d7e9b98d62708ab7377d9e18a214e884c69b0c7217979121aed06917 When executing the module, the code installs a package from a remote location. The remote package contains malicious code exfiltrating selected env variables a...

EUVD-2019-19052

Malware in sbrugna...

EUVD-2019-10289

Malware in sbrugna...

MAL-2025-3747 Malicious code in @myop/angular-remote (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4c529845135f67681059adf0cf2c0ef30da66673da293016d5c193e8162f8070 Withdrawn Advisory This advisory has been withdrawn because @myop/angular-remote is not malware. This link is maintained to preserve external references...

GHSA-78M5-JPMF-CH7V GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package

Summary Unsafe extracting using shutil.unpackarchive from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. Details Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destination file path is...

Democritus Project 代码问题漏洞

Democritus Project is a collection of simple, effective, modular, well-tested and well-documented features from Democritus. A code execution vulnerability exists in Democritus Project d8s-yaml version 0.1.0, which stems from the presence of a potential code execution package democritus-file-syste...

The vulnerability in the packet management subsystem of the Remote Package Manager (RPM) of the Cisco IOS XR network operating system for Cisco 8000 series routers allows a attacker to access the Redis database running on the NOSi container.

The vulnerability of the package management subsystem of the Remote Package Manager RPM in Cisco IOS XR network operating systems for Cisco 8000 series routers is related to the exposure of protected information. Exploiting this vulnerability could allow an attacker to gain access to the Redis...

python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py

A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an...

python-pip: directory traversal in _download_http_url() function in src/pip/_internal/download.py

A flaw was found in the pip package installer for Python when downloading or installing a remote package via a specified URL. Improper validation of the "Content-Disposition" HTTP response header makes a path traversal attack possible, leading to an arbitrary file overwrite. This flaw allows an...

Cisco NX-OS Software Remote Package Manager Command Injection Vulnerability (cisco-sa-20190515-nxos-rpm-injec)

According to its self-reported version, Cisco NX-OS Software is affected by following vulnerability - A vulnerability in the Remote Package Manager RPM subsystem of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to leverage a time-of-check,...

A vulnerability exists in the package management subsystem of the Cisco NX-OS network operating system, allowing a malicious actor to execute arbitrary commands.

The vulnerability in the package management subsystem of the Remote Package Manager RPM of the Cisco NX-OS network operating system in Cisco devices is related to synchronization errors when using shared resources “Race Conditions”. Exploiting this vulnerability could allow an attacker to execute...

Directory Traversal

pip is vulnerable to directory traversal. During installation of a remote package via pip install , a malicious server can send a Content-Disposition header containing ../ to join the temporary directory and the filename as download path, which allows for arbitrary file write and potentially code...

CVE-2019-1732

A vulnerability in the Remote Package Manager RPM subsystem of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to leverage a time-of-check, time-of-use TOCTOU race condition to corrupt local variables, which could lead to arbitrary command injectio...

Race condition

A vulnerability in the Remote Package Manager RPM subsystem of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to leverage a time-of-check, time-of-use TOCTOU race condition to corrupt local variables, which could lead to arbitrary command injectio...

CVE-2019-9686

pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not...

Directory traversal

pacman before 5.1.3 allows directory traversal when installing a remote package via a specified URL "pacman -U " due to an unsanitized file name received from a Content-Disposition header. pacman renames the downloaded package file to match the name given in this header. However, pacman did not...