1892 matches found
Deserialization of Untrusted Data
Overview langgraph-checkpoint is a library with base interfaces for LangGraph checkpoint savers. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JsonPlusSerializer while reconstructing Python objects from JSON checkpoint payloads. An attacker can...
Improperly Implemented Security Check for Standard
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the Lambda@Edge adapter that truncates repeated request headers. An attacker can bypass access restrictions or affect auditing...
GHSA-WGPF-JWQJ-8H8P hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated reques...
CVE-2026-47261
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...
MAL-2026-5793 Malicious code in nativescript-swisspost-pcc-creative-editor (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049 Package masquerades as an internal Swiss Post NativeScript package name nativescript-swisspost-pcc-creative-editor, description literally Security Po...
CVE-2026-50101
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...
EUVD-2026-36526
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...
PT-2026-48957
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...
Malicious code in ai-sdk-helpers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 501daa3c8b2c9c2609dc60fd90ae59710a603ae56fa5dcc867d24913889c5413 [email protected] is a typosquat impersonating the Vercel AI SDK ecosystem homepage ai-sdk.guide, author 'AI SDK Guide '. On npm install,...
Malicious code in @bestlzk/sectest (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4 On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to...
PT-2026-48523
Name of the Vulnerable Software and Affected Versions FreeBSD affected versions not specified Description A privilege escalation flaw exists in the Linuxulator, a compatibility layer that allows Linux binaries to run on FreeBSD. A logic bug related to AT SECURE occurs during setuid execution...
MAL-2026-5477 Malicious code in mcp-server-figma (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 474223e0d5456564c1ae112031e3b8f276850a79f59cc93ed3a04805de291f20 Package squats the unscoped name mcp-server-figma, which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the...
Malicious code in tailwind-form (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37a2959fd43465328b090afd0464e0e3de0e1677ecd2068d4ef05bdfe5867b79 tailwind-form is a typosquat of the legitimate @tailwindcss/forms plugin README and repository field are copied from tailwindlabs/tailwindcss-forms,...
FreeBSD Security Advisory - FreeBSD-SA-26:30.linux
FreeBSD Security Advisory - The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the PSUGID process flag. During execve2, this flag is not yet set at the point where the auxiliary vector is constructed, so ATSECURE was incorrectly set to zero for set-user-ID and...
FreeBSD -- Flaw in Linuxulator execution of setugid binaries
Problem Description: The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the PSUGID process flag. During execve2, this flag is not yet set at the point where the auxiliary vector is constructed, so ATSECURE was incorrectly set to zero for set-user-ID and...
CVE-2026-41159
A flaw was found in Mermaid, a JavaScript tool for creating diagrams and charts. A remote attacker could exploit this vulnerability by injecting malicious Cascading Style Sheets CSS through specific configuration options, such as fontFamily, themeCSS, and altFontFamily. This injected CSS can bypa...
CVE-2026-40296
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal...
CVE-2026-50207
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity...
CVE-2025-69755
An issue in Neterbit NW-431F Router vNW-431F-20241014-IR03 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted command to the atcommand.asp interface...
EUVD-2026-34219
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity...