Malicious code in eth-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 843cae77c9aaf84bef1b7d5e46e27795d5203d2959a39b2797f0e1248b4995c7 The package eth-logger was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-41208 Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 contain a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip serv...

EUVD-2026-25136

IBM Total Storage Service Console TSSC / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input...

CVE-2026-5935

IBM Total Storage Service Console TSSC / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input...

CVE-2026-41179

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...

DEBIAN-CVE-2026-41179

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...

CVE-2026-41179

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...

CVE-2026-41179 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the operations/fsinfo endpoint in the RC server process. An attacker can execute arbitrary local commands by sending crafted requests to an exposed RC server that is running without...

CVE-2026-41179 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...

CVE-2026-41179

CVE-2026-41179 affects rclone before 1.73.5 where the RC endpoint operations/fsinfo is exposed without AuthRequired and accepts attacker-controlled fs input. This allows an unauthenticated attacker to instantiate an attacker-controlled backend via rc.GetFs(...) and trigger WebDAV bearer_token_com...

CVE-2026-41179

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...

PT-2026-34712

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557 B20221024 allowing attackers to execute arbitrary commands via the dhcpMtu parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31171

CVE-2026-31171 affects ToToLink A3300R firmware v17.0.0cu.557_B20221024. The issue allows an attacker to execute arbitrary commands via the url parameter to /cgi-bin/cstecgi.cgi, as described in multiple sources (EUVD/NVD/CVE listings). The root cause and exact vulnerable component are described ...

CVE-2026-31168

CVE-2026-31168 describes a command-injection vulnerability in ToToLink A3300R firmware (versions around 17.0.0cu.557_B20221024 / 17.0.0cu.557 B20221024). The flaw allows an attacker to execute arbitrary commands by supplying a crafted recHour parameter to the CGI endpoint /cgi-bin/cstecgi.cgi. Th...

CVE-2026-31159

The CVE-2026-31159 affects ToToLink A3300R firmware v17.0.0cu.557_B20221024. The vulnerability is a command-injection in /cgi-bin/cstecgi.cgi triggered by the password parameter, enabling arbitrary command execution. Base score 6.5 (Medium) with network attack vector, low attack complexity, and n...

CVE-2026-31166

CVE-2026-31166 concerns ToToLink A3300R firmware v17.0.0cu.557_B20221024. The issue: an attacker can execute arbitrary commands by supplying the hour parameter to /cgi-bin/cstecgi.cgi. This is a network‑vector flaw with low to moderate impact stated (CVSS v3.1: 6.5, Confidentiality and Integrity ...

CVE-2026-31164

ToToLink A3300R firmware v17.0.0cu.557_B20221024 is vulnerable to command execution via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi. The CVE-2026-31164 entry notes this as a network-based vulnerability with CVSSv3.1: 6.5 (MEDIUM), requiring no privileges and no user interaction. Connected sour...

CVE-2026-31165

Summary of CVE-2026-31165 : Analyzed in ToToLink A3300R firmware 17.0.0cu.557_B20221024. The vulnerability is a command-injection in the web interface captured via the pppoeServiceName parameter sent to /cgi-bin/cstecgi.cgi, enabling an attacker to execute arbitrary commands. This is a network-ex...

CVE-2026-31178

ToToLink A3300R firmware v17.0.0cu.557_B20221024 is vulnerable via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi, enabling arbitrary command execution. The CVE-2026-31178 entry lists network-based access with high impact to confidentiality, integrity, and availability. Connected sources conf...