192242 matches found
MAL-2026-2459 Malicious code in strapi-plugin-debug-tools (npm)
strapi-plugin-debug-tools is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
Malicious code in strapi-plugin-debug-tools (npm)
strapi-plugin-debug-tools is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network...
MAL-2026-2466 Malicious code in strapi-plugin-hextest (npm)
strapi-plugin-hextest is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...
MAL-2026-2461 Malicious code in strapi-plugin-finseven (npm)
strapi-plugin-finseven is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topolog...
MAL-2026-2471 Malicious code in strapi-plugin-nordica (npm)
strapi-plugin-nordica is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...
Malicious code in strapi-plugin-api (npm)
strapi-plugin-api is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. It...
Malicious code in strapi-plugin-form (npm)
strapi-plugin-form is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...
Malicious code in strapi-plugin-seed (npm)
strapi-plugin-seed is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...
Malicious code in strapi-plugin-health (npm)
strapi-plugin-health is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...
CVE-2026-5473 NASA cFS Pickle pickle.load deserialization
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is...
CVE-2026-5473
A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is...
CVE-2026-5473
CVE-2026-5473 affects NASA cFS (up to 7.0.0). The vulnerable element is the Pickle Module’s pickle.load, enabling deserialization. The attack is local, requires a high level of complexity, and exploitation is deemed difficult. Public disclosure exists, and the project was informed via an issue bu...
Malicious code in strapi-plugin-core (npm)
strapi-plugin-core is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...
MAL-2026-2456 Malicious code in strapi-plugin-core (npm)
strapi-plugin-core is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...
MAL-2026-2454 Malicious code in strapi-plugin-config (npm)
strapi-plugin-config is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...
MAL-2026-2457 Malicious code in strapi-plugin-cron (npm)
strapi-plugin-cron is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...
Malicious code in strapi-plugin-cron (npm)
strapi-plugin-cron is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...
CVE-2026-5471
A vulnerability was detected in Investory Toy Planet Trouble App up to 1.5.5 on Android. Impacted is an unknown function of the file assets/google-services-desktop.json of the component app.investory.toyfactory. The manipulation of the argument currentkey results in use of hard-coded cryptographi...
Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements
UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitiz...
CVE-2026-5470 mixelpixx Google-Research-MCP Model Context Protocol content-extractor.service.ts extractContent server-side request forgery
A security vulnerability has been detected in mixelpixx Google-Research-MCP 1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83. This issue affects the function extractContent of the file src/services/content-extractor.service.ts of the component Model Context Protoc...