192070 matches found
CVE-2026-41132
CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate e.g. self-signed, leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in...
CVE-2026-44351
fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an...
CVE-2026-8570
The CVE-2026-8570 entry concerns Google Chrome’s V8 engine. A Type Confusion in V8, affecting Chrome versions prior to 148.0.7778.168, could allow a remote attacker to read potentially sensitive data from process memory via a crafted HTML page. The description does not specify exact vulnerable bu...
EUVD-2026-30384
Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. Chromium security severity: Medium...
CVE-2026-8560
CVE-2026-8560 describes a heap buffer overflow in SwiftShader used by Google Chrome on macOS and iOS, prior to Chrome 148.0.7778.168. The vulnerability allows a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. Affected component: SwiftShader within Chrome; impact i...
CVE-2026-8519
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: Critical...
CVE-2026-8516
Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity:...
CVE-2026-8517
Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...
CVE-2026-8512
Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: Critical...
Malicious code in sysbin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ab8ea4ce073a93a1973a062ac7661ceeaea9c312f9fd67e9acda9936e2b6578 Package metadata advertises sysbin as a 'System binary configuration tool' but the tarball ships pointer.py, a stealth overlay that runs automaticall...
MAL-2026-3773 Malicious code in sysbin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ab8ea4ce073a93a1973a062ac7661ceeaea9c312f9fd67e9acda9936e2b6578 Package metadata advertises sysbin as a 'System binary configuration tool' but the tarball ships pointer.py, a stealth overlay that runs automaticall...
Malicious code in tsliverhome (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e Package name 'tsliverhome' impersonates the widely-used 'tslib' package 300M weekly downloads. The shipped README.md is a verbatim copy of...
MAL-2026-3775 Malicious code in tsliverhome (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e Package name 'tsliverhome' impersonates the widely-used 'tslib' package 300M weekly downloads. The shipped README.md is a verbatim copy of...
Malicious code in request-logger-canary (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0d566d7abb400988aea74b00099a6db4c5ea928f32e7d44648193e21a36035 [email protected] ships a preinstall.js that, when npm install runs, opens a TCP socket to 52.74.242.200:8851 and pipes an interactive...
Malicious code in cache-poisoning-pwn-demo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e The package's postinstall hook node -e "try require'./dist/postinstall.js'; catche " loads dist/postinstall.js, which bundles a poisoned is-number...
MAL-2026-3751 Malicious code in cache-poisoning-pwn-demo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e The package's postinstall hook node -e "try require'./dist/postinstall.js'; catche " loads dist/postinstall.js, which bundles a poisoned is-number...
MAL-2026-3758 Malicious code in dotenvv-tool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79fd33c6e511ab11f10b1dae91e2f083f486dd020bbf2dca5256eabc904f61b7 Package name dotenvv-tool impersonates the popular dotenv package; index.js is an admitted dummy stub "The real payload is in postinstall.js". The...
CVE-2026-27886
Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...
EUVD-2026-30363
Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets CSS data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result...
CVE-2026-42897
Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network...