Lucene search
K

3380 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago8 views

Malicious code in express-router-engine (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70 The sole shipped file index.js is a heavily obfuscated RC4 + base64 string-array, 337-entry rotated array, control-flow flattening IIFE that executes...

6.1AI score
Exploits0References4
CVE
CVE
added 2026/06/29 2:3 p.m.24 views

CVE-2026-46406

CVE-2026-46406 affects @anthropic-ai/claude-code versions 2.1.59 through 2.1.128. The /copy command writes responses to a hardcoded, predictable path (/tmp/claude/response.md) with UID isolation, randomness, and symlink protections missing. The file is world-readable (0644) in a world-traversable...

6.1CVSS5.9AI score0.00149EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/29 2:3 p.m.36 views

CVE-2026-46406 Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write

Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable...

4.4CVSS0.00149EPSS
Exploits0References1
NVD
NVD
added 2026/06/29 12:16 p.m.10 views

CVE-2026-41991

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID PID. This predictable filename is created without...

4.7CVSS0.00105EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 12:16 p.m.4 views

UBUNTU-CVE-2026-41991

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID PID. This predictable filename is created without...

4.7CVSS5.9AI score0.00105EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/29 10:15 a.m.5 views

CVE-2026-41991

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID PID. This predictable filename is created without...

2CVSS5.9AI score0.00105EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/29 10:15 a.m.7 views

EUVD-2026-40068

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID PID. This predictable filename is created without...

2CVSS5.9AI score0.00105EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 10:15 a.m.53 views

CVE-2026-41991 Predictable Temporary File in GNU gzip

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID PID. This predictable filename is created without...

2CVSS0.00105EPSS
Exploits0References3
CVE
CVE
added 2026/06/29 10:15 a.m.33 views

CVE-2026-41991

CVE-2026-41991 affects GNU gzip’s gzexe utility, where insecure temporary file handling creates a TOCTOU vulnerability. If mktemp is unavailable in PATH, gzexe constructs a PID-based temporary path without exclusive access or existence checks. A local attacker can pre-create the predicted path as...

4.7CVSS5.9AI score0.00105EPSS
Exploits0References3Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/29 10:15 a.m.4 views

CVE-2026-41991

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID PID. This predictable filename is created without...

4.7CVSS5.9AI score0.00105EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/29 4:9 a.m.11 views

Malicious code in date-uuid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a Package advertised as a UUIDv7 helper, but on require/import it auto-invokes extractDateISO in bootstrap.js, which reads README.md from process.cwd,...

5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/06/25 4:53 p.m.5 views

Insecure Temporary File

Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Insecure Temporary File via the...

6.1CVSS6AI score0.00149EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 4:53 p.m.3 views

GHSA-4VP2-6Q8C-PVQ2 @anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write

The Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable directory 0755, allowing any local user to read a privileged user's Clau...

4.4CVSS5.9AI score0.00149EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/25 4:53 p.m.22 views

@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write

The Claude Code /copy command wrote responses to a hardcoded, predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file was created world-readable 0644 in a world-traversable directory 0755, allowing any local user to read a privileged user's Clau...

6.1CVSS5.9AI score0.00149EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/25 7:21 a.m.6 views

MAL-2026-6457 Malicious code in subsearch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 04245cd013e6aa9edb766cf14249c9dd6abd19d6beb9671c22a1a8bbbff3d511 The package's main entry index.js is the only file of substance and is wrapped in obfuscator.io string-array + RC4 obfuscation that hides every liter...

6AI score
Exploits0References3
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.4 views

Astra Linux – Vulnerability in imagemagick

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when temporary file creation failed, readinfo was destroyed before its filename member could be accessed, resulting in a NULL pointer dereference and system...

7.5CVSS7AI score0.00376EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/18 12:0 a.m.8 views

Siemens RUGGEDCOM RST2428P Path Traversal (CVE-2025-7039)

A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to...

3.7CVSS5.8AI score0.0037EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/17 1:55 p.m.5 views

Creation of Temporary File in Directory with Insecure Permissions

Overview @mariozechner/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in the process handling temporary extension package installs...

7.3CVSS6.3AI score0.00115EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/15 8:41 p.m.5 views

Security Bulletin: MongoDB Enterprised Advanced affected by: Improper Link Resolution Before File Access ('Link Following'), Use of Insufficiently Random Values, Insecure Temporary File (CVE-2026-40977, CVE-2026-40975, CVE-2026-40973)

Summary There are vulnerabilities in spring-boot-3.5.12.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-40977, CVE-2026-40975, CVE-2026-40973. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-40973 DESCRIPTION: A local attacker on the same host as...

8.2CVSS5.6AI score0.00312EPSS
Exploits0Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/13 3:3 a.m.16 views

Malicious code in vite-config-optimizer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f package.json declares a postinstall hook node -e "require'./loader.js'" that auto-executes on every npm install. loader.js spawns a detached child No...

5.5AI score
Exploits0References1
Rows per page
Query Builder