EUVD-2026-36644

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary .php files from the server, including configuration files that contain database credentials and authentication keys...

XWiki Platform - Information Disclosure

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. id: CVE-2025-55747 info: name: XWiki Platform - Information Disclosure author: Redmomn...

Malicious code in parket-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072 On npm install, the package's postinstall script node test.js auto-executes a multi-stage attack against the installer's machine. It recursively scan...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

CVE-2026-11416

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename...

CVE-2026-50206

Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files...

CVE-2026-50206 VPN Command Injection Vulnerability

Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files...

CVE-2026-50206 VPN Command Injection Vulnerability

Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files...

CVE-2026-50206

CVE-2026-50206 affects VPN network profile handling where special characters in config files are not safely processed, enabling command injection. Root cause: improper sanitization or parsing of config entries leads to execution of injected commands when reading malicious config files. Documented...

CVE-2026-50206

Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files...

OpenSC 安全漏洞

OpenSC is an open-source smart card tool and middleware developed by OpenSC. Versions of OpenSC prior to 0.27.0 contained security vulnerabilities. These vulnerabilities stemmed from a stack and heap buffer overflow vulnerability in the dokeyvalue function located in src/pkcs15init/profile.c. Thi...

CVE-2025-41670

Technical details about CVE-2025-41670 are not publicly available in the provided documents. Monitor for updates from official advisories; no affected products, vulnerable components, or remediation are specified here.

Phoenix Contact多款产品 代码问题漏洞

PHOENIX CONTACT AXC F 1152 and PHOENIX CONTACT AXC F 2152 are controller devices from the German company PHOENIX CONTACT. Several products from Phoenix Contact have code vulnerabilities. These vulnerabilities allow low-privilege local users to manipulate configuration or application-related files...

PT-2026-43542

A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected...

MAL-2026-4522 Malicious code in claude-all-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63c5a1f5a6f5bd2dadc4e207ff4e8e310c24cd4c99c751ed094251e00e0af8f3 On install, postinstall.js writes configuration into /.claude/, /.gemini/, /.codex/, and /.kiro/ that hard-wires AI tooling to author-controlled...

Malicious code in claude-all-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63c5a1f5a6f5bd2dadc4e207ff4e8e310c24cd4c99c751ed094251e00e0af8f3 On install, postinstall.js writes configuration into /.claude/, /.gemini/, /.codex/, and /.kiro/ that hard-wires AI tooling to author-controlled...

MantisBT 安全漏洞

MantisBT is a set of web-based open-source defect tracking systems developed by the MantisBT team. This system provides project management and defect tracking services through web-based operations. Versions 2.28.0 and 2.28.1 of MantisBT contain security vulnerabilities. These vulnerabilities stem...

CVE-2026-44377

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates and Documents. The application unsafely evaluates user-supplied input directly through the Smarty templat...

MAL-2026-3646 Malicious code in erslove (npm)

erslove is a typosquatting package impersonating resolve, the module resolution library implementing require.resolve semantics. The package bundles the legitimate resolve source and test fixtures to appear functional while hiding a credential-theft payload in index1.js, executed at install time v...