MAL-2026-5594 Malicious code in 0x2ai-demo7x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7e956073a7db6057e4d42af462dba0299152ca992c113d74c715e90574d0efb On npm install, scripts/postinstall.cjs copies the package's payload/ tree into the installer's project root process.env.INITCWD, placing...

EUVD-2026-34165

Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately...

Securly Chrome Extension 安全漏洞

Securly Chrome Extension is a web filtering and student online security management browser extension developed by the American company Securly. Version 3.0.7 of Securly Chrome Extension contains a security vulnerability. This vulnerability stems from dynamic registration of content scripts, which...

CVE-2026-0097

In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error. This could lead to remote proximal/adjacent escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-8327

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

PickleFuzzer: A Case Study in Fuzzing for Discrepancies between Python Pickle Implementations

Python's native serialization protocol, pickle, is a powerful but insecure format for transferring untrusted data. It is frequently used, especially for saving machine learning models, despite known security challenges. While developers sometimes mitigate this risk by restricting imports during...

PT-2026-40771

Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations...

PT-2026-39754

Name of the Vulnerable Software and Affected Versions Next.js versions 15.2.0 through 15.5.17 Next.js versions 16.0.0 through 16.2.5 Description A flaw exists where a previous security fix was not correctly applied to middleware.ts when used in conjunction with Turbopack, a high-performance...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.14 contained security vulnerabilities. These vulnerabilities stemmed from editing bypasses, allowing authenticated gateway clients to receive unedited secrets through alias fiel...

The (In)security Landscape of AI-Powered GitHub Actions (Part 2/2)

When AI meets CI/CD: permission bypasses, prompt injection, and what to do about it...

xss

CSS Style Sheet Mutation alert"This is a test" alert"...

GHSA-4P64-V8F5-R2GX Multiple security fixes in justhtml

Summary justhtml 1.16.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling. Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings: - programmatic DOM input to sanitize or sanitizedom -...

EUVD-2019-20126

Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field t...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities were caused by authorization bypasses in calls made through Microsoft Teams, which could allow unauthorized senders ...

Node.js Adapter for Hono 路径遍历漏洞

The Node.js Adapter for Hono is an open-source tool developed by Hono, designed to run Hono applications on Node.js. Versions of the Node.js Adapter for Hono prior to 1.19.13 contained a path traversal vulnerability. This vulnerability stemmed from inconsistent path handling, allowing access to...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained security vulnerabilities. These vulnerabilities stemmed from authentication bypasses in the API middleware, allowing unverified attackers to access all protected API endpoints...

CVE-2026-22730

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization...

Google Pixel 安全漏洞

The Google Pixel is a smartphone produced by Google Inc. The Google Pixel has a security vulnerability, which stems from a logical error that allows bypassing operator restrictions, potentially leading to an increase in local permissions...

Sigstore 安全漏洞

Sigstore is an open-source software signature verification library developed by sigstore. Versions of Sigstore prior to 0.2.3 contained security vulnerabilities. These vulnerabilities stemmed from the improper propagation of failure messages during the verification process, which could lead to...

How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework

For the last few months, we've been using the GitHub Security Lab Taskflow Agent along with a new set of auditing taskflows that specialize in finding web security vulnerabilities. They also turn out to be very successful at finding high-impact vulnerabilities in open source projects. As security...