CVE-2026-45311

CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the runtests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build...

gnutls: gnutls: Certificate validation bypass due to oversized Subject Alternative Name

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name SAN could cause the validation process to incorrectly fall back to checking the Common Name CN field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to...

KLiK SocialMediaWebsite 安全漏洞

KLiK SocialMediaWebsite is a simple PHP-based social media website by the individual developer Muhammad Saad. A security vulnerability exists in KLiK SocialMediaWebsite version 1.0, which originates in the HTTP POST Request Parameter Handler component and could lead to injection...

Gallagher Command Centre Service 安全漏洞

Gallagher Command Center Service is a security management platform service component of Gallagher New Zealand. A security vulnerability exists in Gallagher Command Centre Service that stems from the insertion of sensitive information into log files, which could lead to the disclosure of service...

CVE-2026-41217 BIG-IP tmsh vulnerability

A vulnerability exists in an undisclosed BIG-IP TMOS Shell tmsh command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacke...

Malicious code in @tanstack/eslint-plugin-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ff80f01eaa71625ecdc195880a0c0f1ef71da7fa81d01422abf9634f74b5d6be Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Hackers Hijack JDownloader Site to Deliver Malware Through Installers

JDownloader confirms a security breach where hackers manipulated official download links to distribute malicious files between 6 and 7 May 2026...

BIT-JRE-2025-21587

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle...

BIT-JAVA-2023-21830

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Serialization. Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows...

Prosody 安全漏洞

Prosody is an instant messaging server software from Prosody open source. A security vulnerability exists in Prosody versions prior to 0.12.6 and versions 1.0.0 through 13.0.0 prior to 13.0.5, which stems from improper handling of access control by modproxy65 in a suspend scenario, which could...

Anti-DDoS Firm Heaped Attacks on Brazilian ISPs

A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service DDoS attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm's chief executive...

📄 listmonk Session Persistence

listmonk has a flaw where sessions persist as valid after password reset and password change. CVE-2026-34828 listmonk’s Session Persistence After Password Reset and Password Change Intro I found this issue while reviewing listmonk, an open-source newsletter and mailing list manager, with a simple...

Malicious code in @c8o/nimbus-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8225c79aa127203c225df747705db370e11cfae184af100a063b2dfa4eb20eb8 The package @c8o/nimbus-core was found to contain malicious code. Source: ghsa-malware 23fd3197db4264e7b8ef6d65380e017c5b205b46a8e732df586feffcf3c7c7...

MAL-2026-2161 Malicious code in path-external (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83954c990d9e7dddb109dea7f9ed24bc8ded6b95da0ed050b43e7486675fc67c The package path-external was found to contain malicious code. Source: ghsa-malware 28650e14b5d9d8ba8bb4df91ca765c3e40d62074928911571fbdbc9af91c4e2d...

MAL-2026-1940 Malicious code in @validates-sdk/v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14f6dc99183ad11d3293d19966af14cd33cf7ed4ad00f3de9d6f07e5842a9234 The package @validates-sdk/v3 was found to contain malicious code. Source: ghsa-malware...

MAL-2026-1301 Malicious code in @mmm-otrade/transaction-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6bf4c9f5e8a8d9c59d2880a5aafe18bd8780c33c876d202589f4751d5447ce1c The package @mmm-otrade/transaction-adapter was found to contain malicious code. Source: ghsa-malware...

Malicious code in internationalized (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4bb89ff076b952ec364a4b84d4b37a0f83632bea82a2a63b9153d6af9a6145ad The package internationalized was found to contain malicious code. Source: ghsa-malware...

An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account

AI chat toy company Bondu left its web console almost entirely unprotected. Researchers who accessed it found nearly all the conversations children had with the company’s stuffed animals...

CVE-2026-0832

The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny use...

CVE-2026-22686

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails,...