AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same machine and spawn a...

CVE-2026-49358

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...

Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync

Summary agentic-flow versions = 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters e.g. agent, task, name, language, agentdb arguments directly into shell command strings passed to execSync. A malicious value reaching any of the affected MCP tools could break out of the...

GHSA-VCV2-R9JH-99M5 Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync

Summary agentic-flow versions = 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters e.g. agent, task, name, language, agentdb arguments directly into shell command strings passed to execSync. A malicious value reaching any of the affected MCP tools could break out of the...

Cross-site Scripting (XSS)

Overview @jupyterlab/extensionmanager is a JupyterLab - Extension Manager Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized handling of the homepageurl field in the extension manager. An attacker can execute arbitrary JavaScript in the context of the...

JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...

GHSA-VMHF-C436-HXJ4 JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...

Malicious code in @apiwizards/auth-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 718ca10ce0670edf6756b4ff0bd05e43526ebd516396a34074acf844116e7254 @apiwizards/[email protected] ships a single heavily obfuscated index.js obfuscator.io string-array with 317 entries, RC4+base64 decoder,...

MAL-2026-6211 Malicious code in @apiwizards/auth-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 718ca10ce0670edf6756b4ff0bd05e43526ebd516396a34074acf844116e7254 @apiwizards/[email protected] ships a single heavily obfuscated index.js obfuscator.io string-array with 317 entries, RC4+base64 decoder,...

agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution

Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution Summary agent-coderag unconditionally executes a repository-controlled gradlew script during its default sync dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradle repository...

GHSA-WG5P-8H9P-3MR7 agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution

Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution Summary agent-coderag unconditionally executes a repository-controlled gradlew script during its default sync dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradle repository...

CVE-2026-49358

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...

EUVD-2026-38036

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...

CVE-2026-49358 PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...

CVE-2026-49358 PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...

CVE-2026-49358

Summary of CVE-2026-49358 (PhpWeasyPrint) : Prior to version 2.6.0, the public array AbstractGenerator::$temporaryFiles could be appended with arbitrary paths. When removeTemporaryFiles() runs (from __destruct or a shutdown function), it calls unlink() on every entry without verifying that the pa...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the OIDC authenticator. An attacker can gain access to the API by presenting a JWT that a shared identity provider issued for an unrelated service, because the token's audience aud claim is not validated. This...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the OIDC authenticator. An attacker can gain access to the API by presenting a JWT that a shared identity provider issued for an unrelated service, because the token's audience aud claim is not validated. This...

Malicious code in new-mjs-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...

MAL-2026-6226 Malicious code in new-mjs-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...