MAL-2026-6086 Malicious code in ai-chat-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39a12d35a8713a8f63eaf342901214a7f53fa396b9ee8218d246e5e0db7b6318 collect.js performs system reconnaissance and exfiltration to a hardcoded attacker-controlled host. The script imports childprocess, os, fs, http, an...

Malicious code in @hotcappuccino/nodepull (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99 @hotcappuccino/[email protected] ships a single index.js the package's declared main that is wrapped in an obfuscator.io string-array +...

MAL-2026-6085 Malicious code in @hotcappuccino/nodepull (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99 @hotcappuccino/[email protected] ships a single index.js the package's declared main that is wrapped in an obfuscator.io string-array +...

EUVD-2026-37810

e107 is a content management system CMS. Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resizeimage, the source path is escaped with escapeshellarg, but the destination path is inserted inside raw double quotes in the convert...

CVE-2026-48997 e107: Command Injection via shell expansion in ImageMagick resize destination path

e107 is a content management system CMS. Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resizeimage, the source path is escaped with escapeshellarg, but the destination path is inserted inside raw double quotes in the convert...

CVE-2026-48997

CVE-2026-48997 affects e107 CMS

CVE-2026-48997 e107: Command Injection via shell expansion in ImageMagick resize destination path

e107 is a content management system CMS. Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resizeimage, the source path is escaped with escapeshellarg, but the destination path is inserted inside raw double quotes in the convert...

Malicious code in boardflow (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86 On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and...

MAL-2026-6080 Malicious code in boardflow (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86 On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and...

CVE-2026-55201

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...

Hadoop-YARN-RCE

Unauthenticated RCE in Apache Hadoop YARN ResourceManager An...

EUVD-2026-37785

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...

CVE-2026-55201

CVE-2026-55201 affects Evil-WinRM (up to version 3.9). A path traversal in download_dir() can cause the server to generate filenames with traversal sequences from Get-ChildItem output, which are passed unsanitized to File.join(), enabling writes outside the intended download directory. Attackers ...

CVE-2026-55201 Evil-WinRM - Path Traversal in download_dir() Function

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...

CVE-2026-55201 Evil-WinRM - Path Traversal in download_dir() Function

Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...

Exploit for OS Command Injection in Buffalo Open_Xdmod

CVE-2...

EUVD-2026-37553

RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator...

EUVD-2026-37501

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3...

EUVD-2026-37576

An attacker with access via network to the Regesta Smart HD-PLC of the provider Teldat in this case, NO registration action is required who has the vulnerable software could obtain privilege information by using the command Version via the path: /upgrade/query.php?cmd=p+3&3Bversion resulting in a...

EUVD-2026-37499

An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges...