RLSA-2025:11324 Important: cloud-init security update

The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. Security Fixes: cloud-init: Cloud init permissions flaw CVE-2024-6174 For more...

auth0-templates-scripts (=80.0.4) potentially affected by unknown CVE via auth0-templates-scripts-utils (=1.0.5)

auth0-templates-scripts-utils NPM version =1.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on auth0-templates-scripts-utils and may be impacted: - auth0-templates-scripts =80.0.4 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4490...

MAL-2026-4489 Malicious code in auth0-templates-scripts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6 Package name 'auth0-templates-scripts' impersonates the Auth0 Okta brand without affiliation. The author field is the placeholder 'OpenSource...

[SECURITY] Fedora 44 Update: proftpd-1.3.9a-2.fc44

ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based...

CVE-2026-9144

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...

Malicious code in @vivaux/telemetry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0a848407f225f6d34a9d48d9619b517c80e007c2a12c20a341e48cb7f907f81 @vivaux/[email protected] ships an empty index.js and exists only to pull in an off-registry dependency. package.json declares "ltidisafe":...

MAL-2026-4463 Malicious code in @vivaux/telemetry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0a848407f225f6d34a9d48d9619b517c80e007c2a12c20a341e48cb7f907f81 @vivaux/[email protected] ships an empty index.js and exists only to pull in an off-registry dependency. package.json declares "ltidisafe":...

poc-lab

VulnClaw-PoC PoC & reproduction scripts for recently disclo...

Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem

AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, and what detection actually requires. Download the CISO Expert Guide to Typosquatting in the AI Era → TL;DR Typosquatting is no longer a use...

Astra Linux - уязвимость в firefox, thunderbird

If an attacker could control the contents of an iframe that was sandboxed using allow-popups but not allow-scripts, they could create a link that, when clicked, would cause JavaScript execution, violating the sandboxing rules. This vulnerability affects Firefox 98, Firefox ESR 91.7, and Thunderbi...

Astra Linux - уязвимость в zabbix

Reflected XSS attacks occur when a malicious script is reflected from a web application into the victim’s browser. The script can be activated through action form fields, which are sent as requests to a website with vulnerabilities that allow the execution of malicious scripts...

Astra Linux - уязвимость в firefox, thunderbird

If a document creates a sandboxed iframe without allow-scripts, and then appends an element to the iframe’s document that has a JavaScript event handler—the event handler will still be executed despite the iframe being in a sandbox. This vulnerability affects Firefox versions earlier than 97,...

Astra Linux - уязвимость в apache2

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch, especially when an extremely large input buffer is used. Although no code distributed with the server can be forced to make such a call, third-party modules or Lua scripts that us...

Astra Linux - уязвимость в lxml

Lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html allowed certain crafted script content to pass through, as well as script content in SVG files embedded using data URIs. Users who use the HTML Cleaner in a security-related...

Astra Linux - уязвимость в zabbix

JavaScript preprocessing, webhooks, and global scripts can lead to uncontrolled utilization of CPU, memory, and disk I/O resources. The ability to preprocess/webhook/configure and test global scripts is only available to Administrative roles Admin and Superadmin. Administrative privileges should...

Malicious code in @serviceshub/x-web-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1cd81c2623e8f621801dcbfbf7d7eb8745bf702f1d5e85e410872400c7d2eea7 Package ships a trivial index.js module.exports = ; and exists solely to pull a direct-URL tarball dependency at install time. package.json line 9...

CVE-2026-8419

The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

CVE-2026-6399

The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitizetextfield for output escaping in the Contact Number adcontactnumber field — a function that strips HTML tags but does not encode...

CVE-2026-5293

The 診断ジェネレータ作成プラグイン Diagnosis Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc function. The function is hooke...

CVE-2026-6391

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attackers...