Malicious code in reasonix-plugmem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f1f950e58a5bfe1df7c6507fe6ae8edd75ececaca6456efe57e24ab143cf7f7 On startup, plugmemmcp.mjs writes /.reasonix/settings.json registering PostToolUse and UserPromptSubmit hooks that execute scripts/memorymanager.py...

CVE-2025-61081

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none...

PT-2026-41983

Name of the Vulnerable Software and Affected Versions BYD Atto3 affected versions not specified Description An attacker can obtain a permanently available authentication key through a Brute Force attack. This key allows unauthorized flashing of the Electronic Parking Break EPB and Supplemental...

CVE-2026-8596

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for special...

CVE-2026-44426

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own...

CVE-2026-42227

The CVE affects n8n (open source workflow automation) prior to versions 1.123.32, 2.17.4, and 2.18.1. An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying a projectId to the public API variables endpoint. The h...

Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: sctp: Handle the error returned from sctpauthasocinitactivekey. When an error is returned from sctpauthasocinitactivekey, the activekey is not actually updated. The old shkey remains freed while it’s still being used as the activ...

Astra Linux - уязвимость в golang-go.crypto

Applications and libraries that misuse the connection.serverAuthenticate function via the ServerConfig.PublicKeyCallback callback field may be susceptible to authorization bypasses. The documentation for ServerConfig.PublicKeyCallback states that “Calling this function does not guarantee that the...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: nvmet: fixed a memory leak in nvmetauthsetkey When changing dhchap secrets, we also need to release the old secrets. kmemleak complaint: -- Unreferenced object 0xffff8c7f44ed8180 size 64: Comm “check”, pid 7304, jiffies 429568613...

Astra Linux - уязвимость в linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: net/sctp: A null dereference in the sctpdisposition sctpsfdo51Dce function has been fixed. If newasoc-peer.adaptationind=0, sctpulpeventmakeauthkey=0, and sctpulpeventmakeauthkey returns 0, then the variable aiev remains zero, an...

openSUSE 16 Security Update : bind (openSUSE-SU-2026:20550-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20550-1 advisory. - Update to release 9.20.21 - CVE-2026-1519: maliciously crafted DNSSEC-validated zone can lead to denial of service bsc1260805. - CVE-2026-3104...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007591)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007591 advisory. In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctpdisposition sctpsfdo51Dce If newasoc-peer.adaptationind=0...

CVE-2026-4218

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...

CVE-2026-33053

Langflow contains an IDOR vulnerability in API key deletion. Versions prior to 1.9.0 allow delete_api_key_route to delete an API key by id with only a generic authentication check, and delete_api_key() does not verify that the key belongs to the currently authenticated user. This enables an authe...

EUVD-2026-12339

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...

CVE-2026-4218

CVE-2026-4218 affects the Android-based myAEDES App up to version 1.18.4. The vulnerability concerns an unknown function in the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta . By manipulating the argument AUTH_KEY , an information disclosure can occur. The attack req...

myAEDES 访问控制错误漏洞

myAEDES is a platform for building and project management services provided by myAEDES Corporation in the United States. Versions of myAEDES prior to 1.18.4 contained an access control vulnerability. This vulnerability stemmed from the handling of the AUTHKEY parameter in the file...

CVE-2026-22202

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...

CVE-2026-22202 wpDiscuz before 7.6.47 - Destructive GET Action Deletes All Comments by Email

wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to...

CVE-2026-23125

In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTPCMDASSOCSHKEY right after SCTPCMDPEERINIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN:...