MAL-2026-5599 Malicious code in 0x2ai-ivo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686 On install, the postinstall script copies the package's payload/ tree CLAUDE.md,.claude/settings.json,.mcp.json, and several.cjs MCP scripts into the...

Malicious code in 0x2ai-demo1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fdc7c661d4867578d3dd920010bccc1e79fcae8753b5bf549f44ea8a45cde502 On npm install, scripts/postinstall.cjs runs fs.cpSyncpayload, cwd, recursive: true with cwd=process.env.INITCWD || process.cwd — recursively writing...

Malicious code in 0x2ai-demo9x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e796c3398589b92ecd70f45bc41128101313dd07adeb0634199ac3fef59d19d On npm install, scripts/postinstall.cjs copies the package's payload/ tree into the installer's project root process.env.INITCWD without consent,...

MAL-2026-5598 Malicious code in 0x2ai-demo9x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e796c3398589b92ecd70f45bc41128101313dd07adeb0634199ac3fef59d19d On npm install, scripts/postinstall.cjs copies the package's payload/ tree into the installer's project root process.env.INITCWD without consent,...

MAL-2026-5602 Malicious code in 0x2ai-zoe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b On npm install, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INITCWD the directory the developer ran npm from, depositing...

Exploit for CVE-2025-6440

🧨 CVE-2025-6440 – WooCommerce Designer Pro Unrestricted File Upl...

MAL-2026-5603 Malicious code in backup-my-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6 The package's collect.js loads childprocess, fs, os, http and https, gathers host identifiers via os.hostname and os.homedir, enumerates filesystem...

Exploit for CVE-2026-45034

🧨 PHPSpreadsheet Phar Deserialization Exploit Bypass pro...

rsync: Rsync: Use-after-free vulnerability in extended attribute handling

A flaw was found in rsync. When rsync is configured to handle extended attributes using the -X or --xattrs option, a remote attacker can exploit a use-after-free vulnerability. This occurs because the receivexattr function incorrectly processes an untrusted length value during a sorting operation...

libyang security update

An update is available for libyang. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Libyang is YANG data modeling language parser and toolkit written and providi...

RLSA-2026:24545 Important: libyang security update

Libyang is YANG data modeling language parser and toolkit written and providing API in C. Security Fixes: libyang: libyang: Denial of Service or arbitrary code execution via maliciously crafted LYB binary blob CVE-2026-44673 For more details about the security issues, including the impact, a CVSS...

Exploit for Code Injection in Phpunit_Project Phpunit

CVE-2017-9841 — PHPUnit Remote Code Execution RCE PoC ⚠...

Exploit for Code Injection in Phpunit_Project Phpunit

CVE-2017-9841 — PHPUnit Remote Code Execution RCE PoC ⚠...

CVE-2026-10795 UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

EUVD-2026-36215

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

CVE-2026-10795

UpdraftPlus (WordPress plugin)

Malicious code in vite-tsconfig (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c Package impersonates the popular tsconfig-paths library description: 'Load node modules according to tsconfig paths' but ships a hidden...

MAL-2026-5576 Malicious code in vite-tsconfig (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88e76d2cfe72140b4419a881bd3271d2fb1f246444a8418f6decfd81a76dd17c Package impersonates the popular tsconfig-paths library description: 'Load node modules according to tsconfig paths' but ships a hidden...

[SECURITY] [DSA 6338-1] libdbi-perl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6338-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 11, 2026 https://www.debian.org/security/faq -...

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...