192 matches found
Malicious code in date-fns-lite (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51 [email protected] presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. T...
CVE-2026-45405
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...
SUSE-SU-2026:2515-1 Security update for openssh, openssh-askpass-gnome
This update for openssh, openssh-askpass-gnome fixes the following issues - CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid bsc1261427. - CVE-2026-35414: mishandling of authorizedkeys principals option bsc1261430...
Malicious code in internallib_v984 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8 Package exports a single command function that, when invoked, performs three coordinated attacks against the host: 1 appends a hardcoded...
MAL-2026-5643 Malicious code in parket-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072 On npm install, the package's postinstall script node test.js auto-executes a multi-stage attack against the installer's machine. It recursively scan...
CVE-2026-41236
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without...
CVE-2026-41236 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without...
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorizedkeys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This coul...
OpenSSH: OpenSSH: Security bypass via mishandling of authorized_keys principals option
A flaw was found in OpenSSH. This vulnerability arises from the incorrect handling of the authorizedkeys principals option in uncommon scenarios. Specifically, when a principals list is used with a Certificate Authority that includes comma characters, OpenSSH may misinterpret the input. This coul...
RLSA-2026:19069 Important: openssh security update
OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode...
SUSE-SU-2026:21875-1 Security update for openssh
This update for openssh fixes the following issues - CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid bsc1261427. - CVE-2026-35414: mishandling of authorizedkeys principals option bsc1261430. Changes for openssh: - Fix a potential issue when validating mac bsc1264568:...
Amazon Linux 2 : openssh, --advisory ALAS2-2026-3320 (ALAS-2026-3320)
The version of openssh installed on the remote host is prior to 7.4p1-22. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3320 advisory. OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. CVE-2026-35388 OpenS...
Astra Linux – Vulnerability in python-pip
The pip package before version 19.2 for Python allows Directory Traversal when a URL is provided in an install command. This is possible because the Content-Disposition header can contain "../ in the filename, as demonstrated by overwriting the /root/.ssh/authorizedkeys file. This behavior occurs...
Astra Linux – Vulnerability in rsync
A vulnerability was discovered in rsync prior to version 3.2.5. This vulnerability allows malicious remote servers to write arbitrary files into the directories of connecting peers. The server determines which files/directories are sent to the client. However, the rsync client lacks sufficient...
ALSA-2026:19069 Important: openssh security update
OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode...
SUSE SLED15 / SLES15 Security Update : openssh (SUSE-SU-2026:1876-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1876-1 advisory. This update for openssh fixes the following issues - CVE-2026-35385: a file downloaded by scp may be installed...
SUSE-SU-2026:1876-1 Security update for openssh
This update for openssh fixes the following issues - CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid bsc1261427. - CVE-2026-35414: mishandling of authorizedkeys principals option bsc1261430...
OPENSUSE-SU-2026:20757-1 Security update for openssh
This update for openssh fixes the following issues Security issues fixed: - CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid bsc1261427. - CVE-2026-35414: mishandling of authorizedkeys principals option bsc1261430. Other issues fixed: - SSH port not reachable on...
SUSE-SU-2026:21634-1 Security update for openssh
This update for openssh fixes the following issues - CVE-2026-35385: a file downloaded by scp may be installed setuid or setgid bsc1261427. - CVE-2026-35414: mishandling of authorizedkeys principals option bsc1261430...
CVE-2026-41489
Pi-hole (6.0 through before Core 6.4.2 and FTL 6.6.1) is vulnerable because two systemd-executed root scripts (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from a config without validation and perform privileged file operations using that path. An attacker with pihol...