9934 matches found
CERTFR-2026-ACT-025
creationtimestamp| type| source ---|---|--- 2026-06-08 13:27:10+00:00| seen| https://bsky.app/profile/cert-fr.bsky.social/post/3mnrrvuu4na2y 2026-06-08 13:27:12+00:00| seen| https://social.numerique.gouv.fr/users/certfr/statuses/116714715813037267 2026-06-08 14:11:50+00:00| seen|...
Malicious code in consumerweb-authflow (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector acbd81f78a40f87b410799545f06c929bc7e7c3f552eeea06254416b3b9e0977 On npm install, the package's postinstall.js collects host identifiers via os.hostname, os.userInfo.username, os.platform, and the current working...
MAL-2026-5286 Malicious code in encrypted-archive (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94 On npm install, the package executes a preinstall hook package.json "preinstall": "node index.js || true" that runs index.js, which performs a DNS...
CVE-2026-5171
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through...
CVE-2026-36341
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2026-0094
In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed fo...
CVE-2026-0098
In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2026-0099
In onNullBinding of HostEmulationManager.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...
CVE-2026-21021
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity...
CVE-2026-45435
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3...
CVE-2026-33657
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard non-administrative privileges to inject arbitrary HTML into system-generated email notifications by crafting...
CVE-2026-42673
Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from...
CVE-2026-21031
Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability...
CVE-2026-21037
Samsung Members (pre-5.8.01.5) is affected by improper input validation that enables local attackers to access an arbitrary URL and launch an arbitrary activity with Samsung Members privileges. The root cause is insufficient input validation within the app, leading to privilege escalation on the ...
EUVD-2026-34803
Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability...
CVE-2026-21031
Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability...
CVE-2026-21031
Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability...
PT-2026-46927
Name of the Vulnerable Software and Affected Versions Samsung Members versions prior to 5.8.01.5 Description Improper input validation allows local attackers to access arbitrary URLs and launch arbitrary activities using Samsung Members privileges. Recommendations Update to version 5.8.01.5 or...
PT-2026-46921
Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability...
Malicious code in cms-store-ren (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da3593e36ce898d648883ea6f911a5cec1f75f9e8bda5585f7ff5f8754c821de The package's scripts.install runs install.js on every npm install. The script unconditionally POSTs the installer's hostname, OS, and architecture t...