SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the AddressRepository::getSqlQuery method that constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore...

MAL-2026-4644 Malicious code in power-platform-playwright-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57967d58233d74f2fc4f9b0dee7c050370eb388050df8d63f29e719f83468d73 On npm install, the package's postinstall script postinstall.js collects host identifiers and CI context — whoami, os.hostname, os.platform, cwd, CI,...

EUVD-2026-31598

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...

Malicious code in pewter-constants (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5 On npm install, a preinstall hook in callback.js collects os.hostname, os.userInfo.username, process.cwd, the configured npm registry...

Malicious code in dds-js-idl-types (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e8941c301603919022f1d67d311d576d5d5efcac7ed7cb0d3526cb71e829d6 On npm install, the package's postinstall.js runs whoami and reads os.hostname, os.platform, the current working directory, and CI-related environmen...

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection via the LdapCertificateRepo of the XKMS server. An attacker can retrieve arbitrary certificates from the repository by injecting crafted LDAP queries. Remediation Upgrade...

CVE-2026-44930

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44930

Technical details are not publicly available in the provided documents. Monitor for updates.

EUVD-2026-31433

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44930

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44930 Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

Malicious Package

Overview python-env-auditor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview credential-verification-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

PT-2026-42755

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 4.2.1 Apache CXF versions prior to 4.1.6 Apache CXF versions prior to 3.6.11 Description An LDAP injection issue exists in the LDAP Certificate repository of the XKMS server. This allows an attacker to retrieve...

CVE-2026-48243

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

CVE-2026-48244

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

CVE-2026-48241

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...

CVE-2026-48242

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in importmdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values...

CVE-2026-48245

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

CVE-2026-48245

Open ISES Tickets before 3.44.2 contain a hardcoded Google Maps API key in tables.php that was committed to a public repository. The key can be read by anyone with repository access and used to incur Google Maps Platform charges on the owner’s Google Cloud project. Public remediation is available...