485987 matches found
Deserialization of Untrusted Data
Overview typo3/cms-install is a TYPO3 extension install. The Install Tool is used for installation, upgrade, system administration and setup tasks. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the VariableFrontend or Registry. An attacker can execute...
Deserialization of Untrusted Data
Overview typo3/cms-form is a Form Library, Plugin and Editor Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the VariableFrontend or Registry. An attacker can execute arbitrary PHP code by injecting a crafted serialized payload into the underlying storage...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the VariableFrontend or Registry. An attacker can execute arbitrary PHP code by injecting a crafted serialized payload into the underlying storage backend, such as the cache store or sysregistry...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the VariableFrontend or Registry. An attacker can execute arbitrary PHP code by injecting a crafted serialized payload into the underlying storage backend, such as the cache store or sysregistry...
Deserialization of Untrusted Data
Overview typo3/cms-core is a free open source enterprise content management system. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the VariableFrontend or Registry. An attacker can execute arbitrary PHP code by injecting a crafted serialized payload into...
GHSA-C78M-C52X-JGWP TYPO3 CMS has Insecure Deserialization via Core API
Problem TYPO3's cache frontend VariableFrontend and persistent key-value store Registry deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend cache store or sysregistry database table could inject a crafted...
Malicious code in theta-connector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...
MAL-2026-5705 Malicious code in theta-connector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...
Malicious code in theta-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...
MAL-2026-5706 Malicious code in theta-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...
Paperclip AI RCE using a chain of six API calls (CVE-2026-41679).
Paperclip is the operating system for your AI company. You set the goals, hire AI agents as employees, and watch them plan and execute work. Prior to version 2026.410.0, Paperclip allows for an unauthenticated RCE, tracked as CVE-2026-41679. An unauthenticated attacker can achieve full remote cod...
Security Bulletin: Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API
Summary IBM Langflow Desktop contains a critical vulnerability in its v2 API file handling mechanism where the POST /api/v2/files/ endpoint improperly processes multipart upload filenames without sanitization, allowing path traversal and arbitrary file write outside intended directories; this fla...
[SECURITY] [DSA 6343-1] librabbitmq security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6343-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 12, 2026 https://www.debian.org/security/faq -...
[SECURITY] [DSA 6342-1] jpeg-xl security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6342-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 12, 2026 https://www.debian.org/security/faq -...
CVE-2026-12043 Heap double-free in AWS Common Runtime aws-c-http
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...
CVE-2026-12043 Heap double-free in AWS Common Runtime aws-c-http
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...
EUVD-2026-36541
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...
CVE-2026-12043
CVE-2026-12043 affects the AWS Common Runtime aws-c-http library due to improper handling of HPACK dynamic table size updates, which can cause memory corruption on a connecting client via a crafted sequence of HTTP/2 HEADERS frames. The vulnerability could lead to arbitrary code execution on vuln...
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to t...
GHSA-7QMG-GRCP-QF25 GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to t...