CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

CVE-2026-28496

CVE-2026-28496 (FOSSBilling) affects versions prior to 0.8.0, where a Server-Side Template Injection (SSTI) in Twig template rendering allows an attacker with access to template-rendering features (email templates, mass mail campaigns, custom payment adapters, string_render API) to inject arbitra...

Malicious code in ttal2ttml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4 package.json declares a preinstall lifecycle script that runs node -e "tryrequire'childprocess'.execSync'curl -sf...

MAL-2026-6298 Malicious code in ttal2ttml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4 package.json declares a preinstall lifecycle script that runs node -e "tryrequire'childprocess'.execSync'curl -sf...

EUVD-2026-38452

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...

CVE-2026-35018 NetComm NF20MESH < R6B032 Authenticated RCE via OS Command Injection

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...

CVE-2026-35018

NetComm NF20MESH routers running firmware R6B031 and earlier are affected by an authenticated remote code execution vulnerability. The flaw resides in dalStorage_addUserAccount where shell metacharacters injected into the username JSON parameter are unsafely concatenated into a shell command stri...

MINI-2R77-VH6R-QR5H

Bulletin has no description...

CVE-2026-47209

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. This vulnerability allows an attacker to bypass security restrictions by writing dangerous cross-realm Symbol keys to host objects. This can lead to a compromise of the integrity of the host system, potentially enabli...

CVE-2026-47135

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. An attacker within the sandbox could exploit incomplete symbol interception and missing security checks to gain control over the host system. This could allow the attacker to execute arbitrary code outside the sandbox...

CVE-2026-56315

picklescan before 1.0.4 fails to block at least seven Python standard library modules including uuid, osxsupport, aixsupport, pyrepl.pager, and imaplib exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked...

CVE-2025-71376

picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetchcompletions in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims...

CVE-2025-71370

picklescan before 0.0.28 fails to detect malicious torch.jit.unsupportedtensorops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via pickle.load...

CVE-2025-71341

picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution whe...

CVE-2025-71365

picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded...

MINI-HX3W-QXJ7-G4VP

Bulletin has no description...

MINI-VJ6G-9WR8-MC32

Bulletin has no description...

MINI-WXQH-WCGM-V69R

Bulletin has no description...

MINI-PMXH-46VV-744V

Bulletin has no description...

MINI-43W3-C933-F2G5

Bulletin has no description...