247 matches found
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta
Summary Binary delta apply intermediate-symlink traversal in malicious .delta Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relativ...
PT-2026-45019
Summary Binary delta apply intermediate-symlink traversal in malicious .delta Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relativ...
BIT-JOOMLA-2026-23898 Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
CVE-2026-23898
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
EUVD-2026-17861
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
CVE-2026-23898
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
CVE-2026-23898 Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
CVE-2026-23898
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
CVE-2026-23898 Joomla! Core - [20260305] - Arbitrary file deletion in com_joomlaupdate
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism...
CVE-2026-23898
Joomla! Core (com_joomlaupdate) is affected by an arbitrary file deletion vulnerability due to lack of input validation in the autoupdate server mechanism. The issue is documented across multiple sources (e.g., CVE-2026-23898, JOOMLA-1031, BIT-JOOMLA-2026-23898) and is tied to Joomla core updates...
PT-2026-29505
Name of the Vulnerable Software and Affected Versions Joomla! versions prior to v2.18.0 Description A lack of input validation in the autoupdate server mechanism allows for arbitrary file deletion. Attackers can bypass input validation by supplying crafted file paths, potentially leading to the...
Improper Certificate Validation
org.codehaus.mevenide, netbeans is vulnerable to improper certificate validation. The vulnerability is due to the autoupdate system failing to validate SSL certificates and hostnames for HTTPS-based downloads, which allows an attacker to intercept and modify autoupdate packages and potentially...
MAL-2025-186869 Malicious code in europa-loglevel-levels-async (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector adb23e5f025e22619db0589bfdd3e0f01870534acb40e91b70a63bd6a2c90f08 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-184279 Malicious code in modiov-kian-avcaf (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e7dcae918ceedd2393d86597d1eb7b34c627b289e772658069e48ef97cfcbb8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in butry-mutyu-waegressur (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 641476f82799aaf1d10a93d30259c24d0eb40b69a6b28e8852ddb32c79b70539 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in polymera-anasri (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f230159a904a5c9908a33653eb5fcac3db22e5e68e2dab9e6c619b76fbc1ed4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in miands-minst-vusd (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e8087075390bedbee654c5121f2239308b4224955df98289952446bc4cd5469 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-164438 Malicious code in polymedr-minus-buipenaj (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c7a77584754b0df1ed6551c159747189fd0a72a1576f7ad5d9fc8b69b263677 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-157490 Malicious code in kentung-11 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e7d0030aea96a4bf934407d3cc7b11e6b90856b7ba8024bcc01c7f6fac0db0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-169856 Malicious code in uinsu-lista-atumuna (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65d81262425c8d0bcc29d338485b467d50f576bee587f1f169034afe4849c962 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...