MAL-2026-5574 Malicious code in spotify-url-resolver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d48e77a28430ecc01968323c62517a7928f9c0db72e086a64eb87e1b63f33b7 On require'spotify-url-resolver', index.js line 21 invokes startBackupLoop at module top level. The loop zips process.cwd the installer's project roo...

CVE-2026-41706

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is us...

CVE-2026-34416

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that...

CVE-2026-53460

creationtimestamp| type| source ---|---|--- 2026-06-11 00:00:24+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnxw7zebcx26 2026-06-11 02:34:32+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mny6tndjiv2m...

PT-2026-48790

Name of the Vulnerable Software and Affected Versions ClipBucket versions prior to 5.5.3 Description The Remote Play feature in ClipBucket v5 allows authenticated users to import external URLs as video sources. The application concatenates these URLs directly into shell commands without proper...

RockyLinux 9 : osbuild-composer (RLSA-2026:22714)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:22714 advisory. golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-61728 golang: net/url: Memory exhaustion in query...

RHEL 9 : skopeo (RHSA-2026:25250)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:25250 advisory. The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and...

RHEL 9 : buildah (RHSA-2026:25252)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:25252 advisory. The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a...

CVE-2026-42542

creationtimestamp| type| source ---|---|--- 2026-06-10 22:56:08+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnxsn4j3i42y...

CVE-2026-50131

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

GHSA-9PG3-25FQ-P6CC nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs)

internal/web/operators.go:251 — after handleOperatorCreateAPIKey mints a fresh 32-byte bearer token, the redirect points the operator's browser at: /ui/operators/?newkey=&keyname= The raw API key ends up: - in the browser's URL history - in the Referer header on every cross-origin asset the detai...

CVE-2026-28301

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

EUVD-2026-36132

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

CVE-2026-11417

creationtimestamp| type| source ---|---|--- 2026-06-10 20:21:33+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mnxjynboly2i 2026-06-13 19:00:11+00:00| published-proof-of-concept| Telegram/UUlhUbRH-lM0c2HkqQnuE7VUmZM0B1Eg2dBpWy1dBuIGV4 2026-06-13 21:00:04+00:00|...

CVE-2026-47946

creationtimestamp| type| source ---|---|--- 2026-06-10 20:04:27+00:00| seen| https://bsky.app/profile/experiencedigest.bsky.social/post/3mnxj25bawp22...

CVE-2026-50564

creationtimestamp| type| source ---|---|--- 2026-06-10 19:22:39+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnxgpf7ogi25...

CVE-2026-49823

creationtimestamp| type| source ---|---|--- 2026-06-10 19:19:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnxgkin2lm2i 2026-06-11 09:04:32+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mnyumzfwqu27...

CVE-2026-49824

creationtimestamp| type| source ---|---|--- 2026-06-10 19:07:15+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnxfttjf2f2q...