Malicious code in @zentrix23/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00e60d3c1f2afd09e236dc4a5ae0cf2373029e6c62c4f7a9c571b13c2da01cd7 This package is a fork of @whiskeysockets/baileys with an undocumented modification: inside makeNewsletterSocket called unconditionally by...

MAL-2026-4619 Malicious code in naileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53307e8df479525765ddef8cf9a54dcf0aa368b8ef57a088b624a5e80f72c999 naileys is a fork/lookalike of the WhatsApp library baileys single-character edit; internal references still mention 'wileys', and...

CVE-2026-42205

CVE-2026-42205 (Avo) affects the Avo framework for Ruby on Rails. The issue resides in the ActionsController’s insecure action lookup, which can ignore resource context and let an authenticated user execute any action class (descendants of Avo::BaseAction) on any resource. This creates privilege ...

CVE-2026-6915

An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account...

Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework v3.x. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of Avo::BaseAction on any resource, even if the action is not registered fo...

CVE-2026-3572

The CVE-2026-3572 entry concerns the iTracker360 WordPress plugin (versions up to 2.2.0). It describes a vulnerability where Cross-Site Request Forgery can lead to Stored Cross-Site Scripting via the itracker_license settings field. Root cause is missing nonce verification on settings form submis...

CVE-2026-32102 OliveTin Unauthorized Action Output Disclosure via EventStream

OliveTin gives access to predefined shell commands from a web interface. In 3000.10.2 and earlier, OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can...

CVE-2026-2608

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Contributor-level access...

Avada <= 7.13.2 - Missing Authorization

Description The Avada theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.13.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a security vulnerability that stems from a lack of CSRF protection on the Calls widget page, which could lead to an attacker initiating a call and injecting a message into a...

GitLab Enterprise Edition（EE）和GitLab Community Edition（CE） 跨站脚本漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of GitLab, Inc. GitLab Enterprise Edition is a content management system. GitLab Enterprise Edition is a content management system. A cross-site scripting vulnerability exists in GitLab Enterprise Edition EE and GitLab...

EUVD-2025-200190

The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks...

Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 Cross-Site Request Forgery Vulnerabilities (CNVD-2025-29095)

The Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both networked access controllers from Azure Access Technology, USA. The Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 suffer from a cross-site request forgery vulnerability that is caused by imprope...

EUVD-2021-12251

Malware in sbrugna...

EUVD-2002-0045

Malware in sbrugna...

EUVD-2022-30455

Malicious code in bioql PyPI...

EUVD-2024-41739

Malicious code in bioql PyPI...

PT-2025-40510

Name of the Vulnerable Software and Affected Versions Optimize More! – CSS plugin for WordPress versions up to and including 1.0.3 Description The software is susceptible to a Cross-Site Request Forgery issue. This is caused by a lack of, or incorrect, nonce validation within the reset plugin...

CVE-2025-7690

The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplussettings' page. This makes it possible for unauthenticated attackers to perform an unauthorized...

CVE-2025-7690 Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplussettings' page. This makes it possible for unauthenticated attackers to perform an unauthorized...