2183 matches found
MAL-2026-10467 Malicious code in polymarket-stake-kelly-math (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01715ebd11c8adf6ac26ce11bc5fc07e6cfb6775fa77dbe1ca022d0d6593b99c [email protected] ships a postinstall script scripts/install-check.cjs referenced by package.json's postinstall hook that on every np...
CVE-2026-57422
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in VillaTheme Bopo – WooCommerce Product Bundle Builder bopo-woo-product-bundle-builder allows Reflected XSS.This issue affects Bopo – WooCommerce Product Bundle Builder: from n/a through = 1.2.0...
Malicious code in @tailwind-ts/eslint-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8feb6293e6f7cb00a6c6ab82e6d04f8eae29e846ae0abb8a1d65e2cdfbbc9c7 Package is published as an ESLint plugin for Tailwind CSS v4, but the shipped code implements unrelated Polymarket Kelly stake math and a postinstall...
MAL-2026-10431 Malicious code in @tailwind-ts/eslint-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8feb6293e6f7cb00a6c6ab82e6d04f8eae29e846ae0abb8a1d65e2cdfbbc9c7 Package is published as an ESLint plugin for Tailwind CSS v4, but the shipped code implements unrelated Polymarket Kelly stake math and a postinstall...
CVE-2026-57422
CVE-2026-57422 concerns a Reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Bopo – WooCommerce Product Bundle Builder (bopo-woo-product-bundle-builder). The issue arises from improper input neutralization during web page generation, allowing an attacker to inject script v...
CVE-2026-57422 WordPress Bopo – WooCommerce Product Bundle Builder plugin <= 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in VillaTheme Bopo – WooCommerce Product Bundle Builder bopo-woo-product-bundle-builder allows Reflected XSS.This issue affects Bopo – WooCommerce Product Bundle Builder: from n/a through = 1.2.0...
PT-2026-57733
Name of the Vulnerable Software and Affected Versions VillaTheme Bopo – WooCommerce Product Bundle Builder versions prior to 1.2.1 Description Reflected Cross-site Scripting XSS occurs due to improper neutralization of input during web page generation. This allows an attacker to execute malicious...
CVE-2026-55780
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's .NET single-file bundle handler in NanaZip.Codecs.Archive.DotNetSingleFile.cpp sizes its extraction buffer from the bundle entry Size field, which is only checked for sign and is not validat...
CVE-2026-55780
NanaZip (7‑Zip derivative) prior to version 6.5.1749.0 is vulnerable due to its .NET single-file bundle handler in NanaZip.Codecs.Archive.DotNetSingleFile.cpp, which sizes the extraction buffer from the bundle entry Size field without validating against the real file size. This allows an attacker...
CVE-2026-55780 NanaZip: Uncaught exception / unbounded allocation in NanaZip .NET single-file Extract() via unvalidated entry Size
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's .NET single-file bundle handler in NanaZip.Codecs.Archive.DotNetSingleFile.cpp sizes its extraction buffer from the bundle entry Size field, which is only checked for sign and is not validat...
CVE-2026-56254
In @capgo/capacitor-updater Cap-go/capgo before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo...
CVE-2026-55208
Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST...
WordPress Bopo – WooCommerce Product Bundle Builder plugin <= 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by dutafi in WordPress Plugin Bopo – WooCommerce Product Bundle Builder versions = 1.2.0...
CVE-2026-54406
creationtimestamp| type| source ---|---|--- 2026-07-08 11:01:21+00:00| seen| https://vulnerability.circl.lu/bundle/ebad18a5-251f-49a4-b877-c63995fd13a6 2026-07-09 20:37:06+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mqaif74m6425...
GO-2026-5873 Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml in github.com/rancher/fleet
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml in github.com/rancher/fleet...
CVE-2026-44936
CVE-2026-44936 describes an SSRF risk in SUSE Rancher Fleet’s bundle reader when the helmRepoURLRegex field is not set on a GitRepo. The vulnerability allows forwarding Helm authentication credentials (BasicAuth) to any URL specified in the fleet.yaml helm.repo field, potentially leaking admin cr...
CVE-2026-44936
Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials BasicAuth to any URL specified in the helm.repo...
CVE-2026-44936 Rancher Fleet SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
Missing filtering when the helmRepoURLRegex field isn't set on a GitRepo resource in SUSE Rancher Fleet's bundle reader in 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 forwards Helm authentication credentials BasicAuth to any URL specified in the helm.repo...
GHSA-QH2F-99MV-MRCF OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn
Summary Bundle MCP loopback could miss its exec denylist on session spawn. In affected versions, a caller that can reach the affected bundled MCP session-spawn path could bypass the denylist that was intended for that loopback MCP entry point. This advisory is scoped to the named feature and...
GHSA-HX4V-CXPF-VH8M Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
Impact A vulnerability has been identified in Fleet when the helmRepoURLRegex field isn't set on a GitRepo resource. Fleet's bundle reader forwards Helm authentication credentials BasicAuth to any URL specified in the helm.repo field of a fleet.yaml file. An attacker with git push access to a...