Malicious Package

Overview power-platform-playwright-toolkit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

MAL-2026-4733 Malicious code in wrld-dev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58965a325ad88c872b7c01668e4c08ca337b5fa022c15e626e23697d23fb594c The package exposes a public authentication API auth.user.login, auth.user.register, auth.user.get, auth.user.delete, plus an auth.system RPC surface...

Malicious Package

Overview defi-env-auditor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview dowloadeboklosenemigosdelcomerciobyantonioescohotado6t2l4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection betwee...

CVE-2026-38936

A reflected cross-site scripting XSS vulnerability exists in diskover-community = 2.3.5 in public/selectindices.php via the namecontains parameter...

Malicious Package

Overview tailwind-text-fill is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-4786

CVE-2026-4786 notes incomplete mitigation of CVE-2026-4519. The issue arises when a URL contains "%action" allowing bypass of mitigation for certain browser types in Python's webbrowser.open(), enabling potential commands injected into the underlying shell. Connected CVE-4519 details indicate the...

Malicious Package

Overview @justworkshr/alma is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Symfony < 5.4.51 / 6.4.x < 6.4.33 / 7.3.x < 7.3.11 / 7.4.x < 7.4.5 / 8.0.x < 8.0.5 Process Component Argument Injection (GHSA-r39x-jcww-82v6)

The version of Symfony installed on the remote host is prior to 5.4.51, or 6.4.x prior to 6.4.33, or 7.3.x prior to 7.3.11, or 7.4.x prior to 7.4.5, or 8.0.x prior to 8.0.5. It is, therefore, affected by an argument injection vulnerability in the Process component. The Symfony Process component d...

Malicious Package

Overview json-mapping-sources is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

os/exec: Unexpected paths returned from LookPath in os/exec

A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables rather than just directories, passing certain strings to LookPath "", ".", and "..", can result in the binaries listed in the PATH being unexpectedly returned...

CVE-2025-62230

A flaw was discovered in the X.Org X server’s X Keyboard Xkb extension when handling client resource cleanup. The software frees certain data structures without properly detaching related resources, leading to a use-after-free condition. This can cause memory corruption or a crash when affected...

CVE-2025-11720

The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This...

Malicious Package

Overview tw-webkit-universal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

BIT-GOLANG-2025-47906 Unexpected paths returned from LookPath in os/exec

If the PATH environment variable contains paths which are executables rather than just directories, passing certain strings to LookPath "", ".", and "..", can result in the binaries listed in the PATH being unexpectedly returned...

Malicious code in huainanren-nvren-wufa-diyude-youhuo (npm)

The package huainanren-nvren-wufa-diyude-youhuo was found to contain malicious code...

Linux Distros Unpatched Vulnerability : CVE-2019-11187

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the...

Malicious code in nectarine-mike-golf-fsydh (npm)

The package nectarine-mike-golf-fsydh was found to contain malicious code...

Malicious code in project-ykhjj-papa (npm)

The package project-ykhjj-papa was found to contain malicious code...

Malicious code in @malware-test-spend-daman-mouth-haets/test-mlw3-spend-daman-mouth-haets (npm)

The package @malware-test-spend-daman-mouth-haets/test-mlw3-spend-daman-mouth-haets was found to contain malicious code...