Malicious code in buffer-utilities (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9d5f9cc02aafc6aacd829af1fe7b8adb4b215f176b9a412ee46ee28372b7805d The OpenSSF Package Analysis project identified 'buffer-utilities' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

Linux Distros Unpatched Vulnerability : CVE-2026-44462

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining $var@P, allowing arbitrary...

RockyLinux 9 : cockpit (RLSA-2026:21468)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:21468 advisory. cockpit: Cockpit: Arbitrary command execution via crafted links in system logs UI CVE-2026-4802 Tenable has extracted the preceding description block directly fr...

PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)

Summary executecode in praisonaiagents/tools/pythontools.py v1.6.37, subprocess sandbox mode can be fully bypassed using print.self to retrieve the real Python builtins module, from which import can be extracted via vars and runtime string construction. This achieves arbitrary OS command executio...

CVE-2026-44287

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import with the regex /\bimport\s/.testcode. JavaScript syntax accepts a block comment between import and ; the regex matches only ASCII...

CVE-2026-44462

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining $var@P, allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0...

CVE-2026-44287

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import with the regex /\bimport\s/.testcode. JavaScript syntax accepts a block comment between import and ; the regex matches only ASCII...

EUVD-2026-33431

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import with the regex /\bimport\s/.testcode. JavaScript syntax accepts a block comment between import and ; the regex matches only ASCII...

CVE-2026-49367

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

CVE-2026-45630

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation...

CVE-2026-49367

CVE-2026-49367 affects JetBrains IntelliJ IDEA prior to 2026.1.1. The issue enables command execution via the guest user account. The available sources in the provided documents describe the vulnerability at a high level (guest-user-triggered command execution) without detailing the exact exploit...

CVE-2026-49367

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

CVE-2026-49367

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

EUVD-2026-33415

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

CVE-2026-49367

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

CVE-2026-45626

Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/id/volumes/volumeName/browse accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside an Arcane helper container. The path sanitis...

EUVD-2026-33372

Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/id/volumes/volumeName/browse accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside an Arcane helper container. The path sanitis...

EUVD-2026-33362

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server...

RLSA-2026:19073 Important: vim security update

Vim Vi IMproved is an updated and improved version of the vi editor. Security Fixes: vim: arbitrary command execution via modeline sandbox bypass CVE-2026-34982 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to...

RLSA-2026:19069 Important: openssh security update

OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode...