191996 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview durabletask is an A Durable Task Client SDK for Python Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a malicious payload. A malicious actor linked to the @antv appears to have compromised the GitHub account associated with the package and dumpe...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in the FHIRPathEngine. An attacker can exhaust system resources and cause service disruption by submitting specially crafted regular...
CVE-2026-8741
A vulnerability has been found in EMQX up to 6.2.0. This affects an unknown function of the file apps/emqx/src/emqxpersistentsessionds.erl of the component QoS 2 PUBLISH Packet Handler. Such manipulation leads to race condition. The attack may be performed from remote. A high complexity level is...
CVE-2026-47092 Claude HUD 0.0.12 Arbitrary Command Execution via COMSPEC Environment Variable
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version...
EUVD-2026-29634
Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege Vulnerability...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the ExtractRelativeToDirectoryAsync path handling in src/libraries/System.Formats.Tar/src/System/Formats/Tar/TarEntry.cs. An attacker can create a tar archive that extracts a symbolic link whose target is a roote...
CVE-2026-8836
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmpparseinboundframe of the file src/apps/snmp/snmpmsg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be...
CVE-2026-45492
Improper input validation in Microsoft Edge Chromium-based allows an unauthorized attacker to bypass a security feature over a network...
CVE-2026-42822
Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network...
Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp
Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published. Current investigation...
GHSA-JGG6-4RPR-WFH7 Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp
Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published. Current investigation...
GHSA-65X3-RW7Q-GX94 multiparty vulnerable to ReDoS via filename parsing
Impact [email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking...
Symlink Attack
Overview apm-cli is a MCP configuration tool Affected versions of this package are vulnerable to Symlink Attack during the integration when symbolic links under certain directories are dereferenced and their target file contents are copied into project deployment directories. An attacker can acce...
SUSE CVE-2026-6478
Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed...
erb: ERB: Arbitrary code execution via deserialization bypass
A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source...
erb: ERB: Arbitrary code execution via deserialization bypass
A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source...
c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects
A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...