MAL-2026-4682 Malicious code in tango-app-api-trax (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c14d60a97b056e00cb3055bd07605c2f16482794e5860fee68cab46f308893d The package tarball includes a Google Cloud service-account JSON file fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json containing a live RSA private...

CVE-2026-27941

OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the pullrequesttarget event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context ...

EVE Has Partially Predetermined Vault Key

Impact The deriveVaultKey function calls retrieveCloudKey which always returns "foobarfoobarfoobarfoobarfoobarfo". When merged with the randomly generated 32-byte key using mergeKeys 16 bytes from each, the last 16 bytes are always "arfoobarfoobarfo". This enables an attacker with physical access...

GHSA-G7VP-J25F-H34P EVE Has Partially Predetermined Vault Key

Impact The deriveVaultKey function calls retrieveCloudKey which always returns "foobarfoobarfoobarfoobarfoobarfo". When merged with the randomly generated 32-byte key using mergeKeys 16 bytes from each, the last 16 bytes are always "arfoobarfoobarfo". This enables an attacker with physical access...

PT-2026-6420

Impact The deriveVaultKey function calls retrieveCloudKey which always returns "foobarfoobarfoobarfoobarfoobarfo". When merged with the randomly generated 32-byte key using mergeKeys 16 bytes from each, the last 16 bytes are always "arfoobarfoobarfo". This enables an attacker with physical access...

EUVD-2025-176425

Malicious code in serialize-cloud-key-array-secure npm...

EUVD-2020-29050

Malware in sbrugna...

EUVD-2020-30307

Malware in sbrugna...

EUVD-2020-29043

Malware in sbrugna...

EUVD-2023-36286

Malicious code in bioql PyPI...

EUVD-2023-30093

Malicious code in bioql PyPI...

CVE-2023-28361

A Cross-site WebSocket Hijacking CSWSH vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM...

CVE-2023-31997

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both 1 running UniFi OS 3.1 and 2 hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen...

CVE-2023-26272

IBM Security Guardium Data Encryption IBM Guardium Cloud Key Manager GCKM 1.10.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID:...

CVE-2023-27587

ReadtoMyShoe, a web app that lets users upload articles and listen to them later, generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google...

CVE-2020-8157

UniFi Cloud Key firmware = v1.1.10 for Cloud Key gen2 and Cloud Key gen2 Plus contains a vulnerability that allows unrestricted root access through the serial interface UART...

CVE-2020-9501

Attackers can obtain Cloud Key information from the Dahua Web P2P control in specific ways. Cloud Key is used to authenticate the connection between the client tool and the platform. An attacker may use the leaked Cloud Key to impersonate the client to connect to the platform, resulting in...

CVE-2020-8148

UniFi Cloud Key firmware 1.1.6 contains a vulnerability that enables an attacker being able to change a device hostname by sending a malicious API request. This affects Cloud Key gen2 and Cloud Key gen2 Plus...

PT-2023-28893

Name of the Vulnerable Software and Affected Versions SoftwareX versions prior to 7.10 Description The issue arises from the implementation of deriveVaultKey, which generates a vault key with the last 16 bytes predetermined to be "arfoobarfoobarfo". This occurs because deriveVaultKey calls...

IBM Security Guardium Data Encryption Access Control Error Vulnerability

IBM Security Guardium Data Encryption is a software from International Business Machines IBM that is used to secure sensitive data within an organization. The software protects assets located in cloud, virtual, big data and physical environments by controlling access to databases, files,...