Malicious code in @403name/fsevent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb On require, index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at...

Malicious code in @403name/ether-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef On require'@403name/ether-js', index.js runs an IIFE that targets macOS only returns early on non-darwin and when CI/GITHUBACTIONS env vars are set,...

MAL-2026-5548 Malicious code in @403name/ether-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef On require'@403name/ether-js', index.js runs an IIFE that targets macOS only returns early on non-darwin and when CI/GITHUBACTIONS env vars are set,...

CVE-2026-46532

ESF-IDF is the Espressif Internet of Things IOT Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0, an out-of-bounds read exists in the BlueDroid AVRCP vendor-command parser avrcparsvendorcmd in components/bt/host/bluedroid/stack/avrc/avrcparstg.c. This issue has been patched ...

CVE-2026-9754

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command...

CVE-2026-9742

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

[SECURITY] Fedora 43 Update: xmlstarlet-1.6.1-30.fc43

XMLStarlet is a set of command line utilities which can be used to transform, query, validate, and edit XML documents and files using simple set of shell commands in similar way it is done for plain text files using UNIX grep, sed, awk, diff, patch, join, etc commands...

EUVD-2026-36149

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI. The security risk posed...

PT-2026-48788

Name of the Vulnerable Software and Affected Versions Idira Privileged Session Manager for SSH PSMP versions prior to 15.0.2 Idira Privileged Session Manager for SSH PSMP versions prior to 14.6.3 Idira Privileged Session Manager for SSH PSMP versions prior to 14.2.5 Idira Privileged Session Manag...

PT-2026-48790

Name of the Vulnerable Software and Affected Versions ClipBucket versions prior to 5.5.3 Description The Remote Play feature in ClipBucket v5 allows authenticated users to import external URLs as video sources. The application concatenates these URLs directly into shell commands without proper...

PT-2026-48736

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description A shell option parsing issue allows combined POSIX shell flags to bypass exec revalidation checks. This enables attackers to execute inline shell content without the intended allowlist validatio...

PT-2026-48720

Name of the Vulnerable Software and Affected Versions KanaDojo affected versions not specified Description A command injection issue exists where an attacker with pull request access can execute arbitrary shell commands. This occurs when shell metacharacters are inserted into the version or chang...

MariaDB Server 命令注入漏洞

MariaDB Server is an open-source relational database system developed by MariaDB. Versions 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1 of MariaDB Server have a vulnerability related to operating system command injection. This vulnerability arises from...

ClipBucket V5 操作系统命令注入漏洞

ClipBucket V5 is a video hosting platform developed by MacWarrior’s individual developers. Versions of ClipBucket V5 prior to 5.5.3 – including version 140 – contained an operating system command injection vulnerability. This vulnerability stemmed from the remote playback feature allowing direct...

KanaDojo 操作系统命令注入漏洞

KanaDojo is an attractive and customizable Japanese learning platform developed by lingdojo. KanaDojo has a vulnerability related to operating system command injection. This vulnerability arises from command injection, and it could allow attackers with access to pull requests to execute arbitrary...

CyberArk Idira Privileged Session Manager 操作系统命令注入漏洞

CyberArk Idira Privileged Session Manager is a privileged session management platform developed by the American company CyberArk. Versions of CyberArk Idira Privileged Session Manager for SSH prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6 contained an operating system command injection vulnerability...

Devolutions Server < 2026.1.21.0 / 2026.2.4.0 < 2026.2.5.0 Multiple Vulnerabilities (DEVO-2026-0015)

The version of Devolutions Server installed on the remote host is prior to 2026.1.21.0 or 2026.2.4.0 prior to 2026.2.5.0. It is, therefore, affected by multiple vulnerabilities, including: - Improper neutralization of special elements in the built-in PAM provider password rotation templates in...

Ivanti Sentry OS Command Injection Vulnerability

Ivanti Sentry formerly known as MobileIron Sentry contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged sta...

Ivanti Sentry handleMessage authentication bypass and command execution

Added: 06/11/2026 Background Ivanti Sentry, formerly MobileIron Sentry, is an in-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems. Problem An authentication bypass and command execution vulnerability in the handleMessage endpoint...

openSUSE 16 Security Update : agama-web-ui (openSUSE-SU-2026:20919-1)

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20919-1 advisory. This update for agama-web-ui fixes the following issues - CVE-2025-7339: on-headers: incorrect array handling may lead to HTTP response header...