CVE-2026-57522

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

CVE-2026-46508

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and...

CVE-2026-46384 iskorotkov/avro: Integer Overflow in Avro Decoder

iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets...

Avro 输入验证错误漏洞

Avro is a fast Go Avro decoder developed by hamba. Versions prior to Avro 2.33.0 contained a vulnerability related to input validation errors. This vulnerability stemmed from multiple Avro decoder paths reading 64-bit values controlled by an attacker and truncating or using overflow signed intege...

Malicious code in class-weaver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4e45cdd0a93db2db56ae7fd2c348305a5ce7aeab9c6fb4b2331c2a547b2c5e7 class-weaver advertises itself as a className/theme utility keywords clsx, utils, styling; exports named classNames and twMerge mimicking...

CVE-2025-14179

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat, which stops at...

CVE-2026-37540

A flaw was found in OpenAMP. An integer overflow vulnerability exists in the ELF loader's firmware image parsing, specifically within elfloader.c. This flaw occurs when multiplying two attacker-controlled 16-bit values from the ELF header without proper overflow checking. On 32-bit embedded...

CVE-2026-37540

OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elfloader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems STM32MP1, Zynq, i.MX, large values can...

open-amp 输入验证错误漏洞

open-amp is an OpenAMP open source framework that supports communication and lifecycle management between heterogeneous multi-core processors. An input validation error vulnerability exists in open-amp version v2025.10.0, which stems from an integer overflow in the ELF loader during firmware imag...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the handler for creating or updating Traffic Influence Subscriptions due to improper validation of the influenceId path segment. An attacker can create or overwrite arbitrary Traffic Influence Subscriptions,...

PSF-2025-13

If the value passed to os.path.expandvars is user-controlled a performance degradation is possible when expanding environment variables...

EUVD-2018-0755

Malware in sbrugna...

EUVD-2018-2976

Malware in sbrugna...

EUVD-2021-33538

Malicious code in bioql PyPI...

EUVD-2024-1655

Malicious code in bioql PyPI...

CVE-2024-45597

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table...

CVE-2024-45597 Pluto's http.request allows CR and LF in header values

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table...

CVE-2024-34357 TYPO3 vulnerable to Cross-Site Scripting in ShowImageController

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the ShowImageController eID txcmsshowpic is vulnerable to cross-si...

CVE-2024-34357

TYPO3 shows a cross-site scripting vulnerability in the ShowImageController (eID tx_cms_showpic ) caused by improper encoding of user-controlled values in file entities. The issue affects versions 9.0.0 up to but not including fixed releases: 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, a...

CVE-2024-34357 TYPO3 vulnerable to Cross-Site Scripting in ShowImageController

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, failing to properly encode user-controlled values in file entities, the ShowImageController eID txcmsshowpic is vulnerable to cross-si...