MAL-2026-4218 Malicious code in solidity-deploy-guard (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

UBUNTU-CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-47373 Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

EUVD-2026-31196

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash...

CVE-2026-35015 Open ISES Tickets < 3.44.2 Reflected XSS via do_unit_mail.php the_ticket Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in dounitmail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the theticket GET parameter directly into a JavaScript variable assignment. Attacker...

MAL-2026-4377 Malicious code in @ctrl/plex (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568 The @ctrl/ npm scope was compromised in the Shai-Hulud supply-chain incident September 2025. Versions of @ctrl/plex published during and after the...

CVE-2026-9121

Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Medium...

USN-8287-1 xdg-desktop-portal vulnerability

It was discovered that XDG Desktop Portal incorrectly handled trashing files. A local attacker could possibly use this issue to delete arbitrary files on the host file system via a symlink attack...

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...

MAL-2026-4771 Malicious code in strawberry-graphql (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8eb433a0339783d1a58993e1611278218492a4349a80801e6c6a2d475278a99c This package is published under the strawberry-graphql name but diverges from the legitimate upstream by declaring a hard runtime dependency on...

CVE-2026-4293

The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser...

CVE-2026-20199

CVE-2026-20199 affects Cisco ThousandEyes Virtual Appliance. The issue stems from insufficient validation in SSL certificate handling, allowing an authenticated, remote attacker (with valid admin credentials) to upload a crafted certificate and execute arbitrary code as root on the underlying OS....

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the daemon file handling. An attacker can create or overwrite arbitrary files by replacing parent directory components with symbolic links during the window between validation and use...

Insecure Default Initialization of Resource

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the hasValidToken function. An attacker can gain unauthorized access to create and modify FAQ entries,...

Regular Expression Denial of Service (ReDoS)

Overview symfony/json-path is an Eases JSON navigation using the JSONPath syntax as described in RFC 9535 Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the match and search filter functions in the JsonPath component. An attacker can cause denia...