CVE-2026-12958

CVE-2026-12958 affects Language Servers for AWS due to missing symlink validation, allowing arbitrary file write outside the workspace trust boundary when a user opens a workspace containing a crafted symlink. The issue is reported across multiple sources (CVE entry, NVD, and related databases). ...

CVE-2026-12957

CVE-2026-12957 affects Language Servers for AWS prior to version 1.65.0. The root cause is improper trust boundary enforcement, which can lead to arbitrary code execution if a local user opens a malicious workspace and commands within project configuration files are executed automatically when pr...

CVE-2026-12957 Arbitrary Code Execution in Language Servers for AWS

Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This...

EUVD-2026-38488

Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This...

CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: art, docker-fips, eks-distro-fips, kgateway, neuvector-sigstore-interface-fips, terraform-provider-databricks, aws-iam-authenticator-fips, authentik, azurefile-csi, flux-notification-controller, argo-workflows-fips, consul-k8s, tempo, kubescape-operator-fips, dapr,...

WordPress 2kb Amazon Affiliates Store <2.1.1 - Cross-Site Scripting

WordPress 2kb Amazon Affiliates Store plugin before 2.1.1 contains multiple cross-site scripting vulnerabilities. The plugin allows an attacker to inject arbitrary web script or HTML via the 1 page parameter or 2 kbAction parameter in the kbAmz page to wp-admin/admin.php, thus making possible the...

WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting

The WP-Lister Lite for Amazon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.6.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

CVE-2026-54289

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so...

CVE-2026-54288

The CVE-2026-54288 issue affects the Hono Web framework prior to version 4.12.25, where the Body Limit Middleware trusts the request Content-Length header. On AWS Lambda environments (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge), the body is fully buffered and the adapter builds the requ...

CVE-2026-54288 Hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is...

CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

CVE-2026-54287 Hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

WP AmASIN – The Amazon Affiliate Shop - Local File Inclusion

Absolute path traversal vulnerability in reviews.php in the WP AmASIN - The Amazon Affiliate Shop plugin 0.9.6 and earlier for WordPress allows remote attackers to read arbitrary files via a full pathname in the url parameter. id: CVE-2014-4577 info: name: WP AmASIN – The Amazon Affiliate Shop -...

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 CVSS score: 5.3, is a medium-severity information disclosure flaw that can allow unauthenticated attackers ...

PT-2026-50900

Name of the Vulnerable Software and Affected Versions containerd versions prior to 2.3.2 containerd versions prior to 2.2.5 containerd versions prior to 2.1.9 containerd versions prior to 2.0.10 containerd versions prior to 1.7.33 Description The CRI checkpoint import process fails to validate...

CVE-2026-12047 pgAdmin 4: HTML injection in cloud verify_credentials / deploy endpoints via unsanitised SDK exception text

HTML injection in pgAdmin 4's cloud deployment module. The verifycredentials, deploy, regions, and update-server endpoints under /rds/, /azure/, /google/, and the top-level /cloud/ blueprint propagated AWS / Azure / Google SDK exception text — and the related file-resolution and database-commit...

CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources

Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials...

CVE-2025-10560

The CVE-CWE entry documents a vulnerability in Worksnaps before version 1.6.20260201 where hardcoded cloud credentials and related secret material were embedded in Worksnaps client binaries. The exposed data included AWS access keys and S3 bucket information, and the credentials authenticated as ...

PT-2026-50648

Name of the Vulnerable Software and Affected Versions Worksnaps versions prior to 1.6.20260201 Description The Worksnaps client application binaries contain hardcoded cloud credentials and secret material. These exposed credentials include AWS access keys and S3 bucket names, which authenticated ...