FreeBSD Security Advisory - FreeBSD-SA-26:15.dhclient

FreeBSD Security Advisory - As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun...

PT-2026-36035

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 9.0 through 18.9.6 GitLab CE/EE versions 18.10 through 18.10.5 GitLab CE/EE versions 18.11 through 18.11.2 Description Insufficient input validation allows an unauthenticated user to cause a denial of service by sending...

PT-2026-35992

Name of the Vulnerable Software and Affected Versions MyBB Recent threads version 17.0 Description A persistent cross-site scripting issue allows attackers to inject malicious scripts by creating threads with crafted subject lines. By using script tags in the subject parameter, an attacker can...

Jenkins plugins Multiple Vulnerabilities (2026-04-29)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - High HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site...

CVE-2025-56537

A stored cross-site scripting XSS vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter...

Cross-site Scripting (XSS)

Overview phpoffice/phpspreadsheet is a Spreadsheet engine that Read, Create and Write Spreadsheet documents in PHP . Affected versions of this package are vulnerable to Cross-site Scripting XSS in the HTML generation process when a cell uses a custom number format containing the @ text placeholde...

Embedded Malicious Code

Overview @cap-js/postgres is a CDS database service for Postgres Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions and their contents are...

Embedded Malicious Code

Overview mbt is a that triggers an 11.6 MB heavily obfuscated script execution.js during package installation. Once executed on a developer's machine, the malware steals the developer's credentials and weaponizes them to automatically create public GitHub repositories under the victim's account...

Embedded Malicious Code

Overview @cap-js/db-service is a CDS base database service Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions and their contents are activel...

Embedded Malicious Code

Overview @cap-js/sqlite is a CDS database service for SQLite Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions and their contents are...

EUVD-2026-26098

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execu...

CVE-2026-41390 OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command to persist trust for wrapper binaries that execu...

CVE-2026-41390

CVE-2026-41390 affects OpenClaw prior to 2026.3.28. The vulnerability is an exec allowlist bypass where allow-always persistence does not unwrap wrappers (e.g., /usr/bin/script) before storing trust decisions, enabling a user-approved wrapped command to persist trust for a wrapper that later exec...

Malicious code in kcvlib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4a441a8e0abdd54964ca9e0a5e3a1d0e0c0435f05d80ab9e9210e10194a16f3d During import, the package downloads and executes obfuscated code. It appears to be an infostealer framework --- Category: MALICIOUS - The campaign has clearly...

MAL-2026-3131 Malicious code in kcvlib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4a441a8e0abdd54964ca9e0a5e3a1d0e0c0435f05d80ab9e9210e10194a16f3d During import, the package downloads and executes obfuscated code. It appears to be an infostealer framework --- Category: MALICIOUS - The campaign has clearly...

Malicious code in genmedia-izumi-agent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6afd24d0d974a2b6b82c9aa120945d1c531a3ea17e81bbdf526890f2f0e18905 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-7272 WilliamCloudQi matlab-mcp-server MCP index.ts execute_matlab_code path traversal

A flaw has been found in WilliamCloudQi matlab-mcp-server up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The affected element is the function generatematlabcode/executematlabcode of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument scriptPath can lead...

CVE-2026-7272

The CVE-2026-7272 entry concerns WilliamCloudQi matlab-mcp-server (up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca). The vulnerability is rooted in the function generate_matlab_code/execute_matlab_code within src/index.ts of the MCP Interface, where manipulating the scriptPath argument enables pat...

CVE-2026-7272

A flaw has been found in WilliamCloudQi matlab-mcp-server up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The affected element is the function generatematlabcode/executematlabcode of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument scriptPath can lead...

CVE-2026-7272 WilliamCloudQi matlab-mcp-server MCP index.ts execute_matlab_code path traversal

A flaw has been found in WilliamCloudQi matlab-mcp-server up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The affected element is the function generatematlabcode/executematlabcode of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument scriptPath can lead...