File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

Exploit for Missing Authentication for Critical Function in Erlang Erlang\/Otp

Information Security Fundamentals — Spring 2026 Project Tot...

webstrike-framework

WebStrike — Automated Web Pentesting Framework Created by...

CVE-2026-54361

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

CVE-2026-42851

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...

GHSA-GV7W-RQVM-QJHR esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Summary The esbuild Deno module lib/deno/mod.ts downloads native binary executables from an npm registry and writes them to disk with executable permissions 0o755 without performing any integrity verification e.g., SHA-256 hash check. The Node.js equivalent lib/npm/node-install.ts includes a robu...

esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Summary The esbuild Deno module lib/deno/mod.ts downloads native binary executables from an npm registry and writes them to disk with executable permissions 0o755 without performing any integrity verification e.g., SHA-256 hash check. The Node.js equivalent lib/npm/node-install.ts includes a robu...

CVE-2026-42851

CVE-2026-42851 (Kitty terminal) : In versions prior to 0.47.0, a program that writes bytes to a Kitty terminal can trigger execution of attacker-supplied Python inside the Kitty process with the user’s privileges. This is a local issue with high impact to confidentiality, integrity, and availabil...

EUVD-2026-36555

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...

CVE-2026-42851 @kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...

CVE-2026-54361

CVE-2026-54361 affects MISP and stems from mass assignment flaws in collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should be server-controlled (e.g., id, org_id, orgc_id, user_id), enabling an authenticated att...

CVE-2026-54361 MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

EUVD-2026-36554

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetrickeys - prevent overflow in asymmetrickeygenerateid Use checkaddoverflow to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetrickeyid structure and return...

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Attackers took over more than 400 packages in the Arch User Repository AUR this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF...

Malicious code in ttspc-server-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b [email protected] declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script...

MAL-2026-5707 Malicious code in ttspc-server-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b [email protected] declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for May 2026

Summary Multiple vulnerabilities were addressed in IBM Process Mining 2.1.1 IF002 Vulnerability Details CVEID:CVE-2026-7246 DESCRIPTION: Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit function, allowing attackers to pass arbitrary OS commands...

Exploit for Use After Free in Linux Linux_Kernel

CVE-2026-23111 Auto-Root VM Testing Local privilege escalat...

Malicious code in voyager-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8 package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install. callback.js collects installer-side...