Astra Linux - уязвимость в nss

When converting coordinates from projective to affine, the modular inversion was not performed in constant time, allowing for a timing-based side channel attack. This vulnerability affects Firefox versions less than 80, as well as Firefox for Android versions less than 80...

MAL-2026-4661 Malicious code in react-tracked-tony (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage:...

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along wi...

glib: GLib: Buffer underflow in GVariant parser leads to heap corruption

A flaw was found in GLib Gnome Lib. This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings...

SOC-Alert-Investigation-Portfolio

SOC Alert Investigation Portfolio This repository contains pr...

libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file()

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use TOCTOU race condition in the capsetfile function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so,...

Malicious code in @pluxee-connect/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9 On npm install, postinstall.js collects os.hostname, os.userInfo, and process.version and transmits them over plain HTTP to...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the timing window between path resolution and syscall execution in operations such as chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat. An attacker...

MAL-2026-4608 Malicious code in mcp-server-iehub-proxy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba03746ec3542dbe6ea365d04c04a7b9ac1366a547da3a6e7bc146900ad67a51 proxy.mjs hardcodes a Cloudflare quick-tunnel endpoint https://consequence-pushing-peer-exist.trycloudflare.com and uses fetch... POST... with...

Malicious code in ethers-wallet-packages (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d The package impersonates the legitimate @ethersproject/wallet source files are otherwise verbatim copies, including the internal version string...

MAL-2026-4554 Malicious code in ethers-wallet-packages (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d The package impersonates the legitimate @ethersproject/wallet source files are otherwise verbatim copies, including the internal version string...

CVE-2026-6401

The Bottom Bar plugin for WordPress (versions

CVE-2026-8423

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active...

CVE-2026-6452

The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgamessyndicatesubmenu function. This makes it possible for unauthenticated attackers to reset...

CVE-2026-8423

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.0.5 due to missing/incorrect nonce validation on the options page. This allows unauthenticated attackers to change the site’s active theme by modifying the ...

PT-2026-42265

Name of the Vulnerable Software and Affected Versions Crypt::SaltedHash versions prior to 0.110.0 Description Crypt::SaltedHash for Perl is susceptible to timing attacks because it uses Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying hash...

NLnet Labs Unbound 访问控制错误漏洞

NLnet Labs Unbound is a high-performance DNS resolver open-sourced by NLnet Labs. In versions 1.16.2 to 1.25.0 of NLnet Labs Unbound, there is an access control vulnerability. This vulnerability stems from a phantom domain attack. It allows attackers to control phantoms and query the vulnerable...

HCL DominoIQ 安全漏洞

HCL DominoIQ is an intelligent business platform developed by HCL Company in India, which integrates artificial intelligence capabilities with enterprise collaboration functions. HCL DominoIQ has a security vulnerability, caused by ineffective access control, which may allow authentication...

perl-Crypt-SaltedHash 安全漏洞

perl-Crypt-SaltedHash is a Perl password hashing tool developed by Robert Rothenberg. Versions of perl-Crypt-SaltedHash prior to 0.09 contained security vulnerabilities. These vulnerabilities stemmed from the use of the built-in Perl eq comparison function; timing differences could be exploited t...

PT-2026-42095

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to denial of service...