CVE-2026-34387 Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts

Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root macOS/Linux or SYSTEM Windows on managed hosts when an uninstall is triggered for a crafted...

CVE-2026-28457

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

EUVD-2022-7409

Malicious code in bioql PyPI...

The vulnerability of Fortinet’s software products arises from incorrect restrictions on path names in restricted access catalogs, allowing attackers to escalate their privileges.

The vulnerability of Fortinet’s software products is related to incorrect restrictions on path names in the restricted access catalog. Exploiting this vulnerability can allow attackers to enhance their privileges through specially created packages...

The vulnerability of Fortinet’s software products arises from incorrect restrictions on path names in restricted access catalogs, allowing attackers to escalate their privileges.

The vulnerability of Fortinet’s software products is related to incorrect restrictions on path names in the restricted access catalog. Exploiting this vulnerability can allow attackers to enhance their privileges through specially created packages...

The vulnerability of the Ivanti Endpoint Manager Mobile (EPMM) application for managing the lifecycle of mobile devices and mobile applications (formerly known as MobileIron Core) stems from deficiencies in access control. This allows a malicious actor to bypass existing security restrictions and execute arbitrary commands.

The vulnerability of the Ivanti Endpoint Manager Mobile EPMM application for managing the lifecycle of mobile devices and mobile applications formerly known as MobileIron Core is related to deficiencies in access control. Exploiting this vulnerability could allow a attacker to bypass existing...

The vulnerabilities of the modules of the central processor in microprogrammed logic controllers of the MELSEC-Q Series and MELSEC-L Series allow a hacker to execute arbitrary code.

The vulnerability of the modules of the central processor in microprogrammed logic controllers of the MELSEC-Q Series and MELSEC-L Series is related to errors during the scaling of indicators. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending a specially...

CentOS 8 : python-setuptools (CESA-2023:0835)

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2023:0835 advisory. - Python Packaging Authority PyPA setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom...

CVE-2023-6356 Kernel: null pointer dereference in nvmet_tcp_build_iovec

A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service...

The vulnerability of the component responsible for checking installed operating system packages “Aurora” allows a hacker to execute code with elevated privileges.

The vulnerability of the “Avora” operating system’s installed package checking component is related to deficiencies in the control of the parameters of these installed packages. Exploiting this vulnerability allows an attacker to execute arbitrary code with elevated privileges using a specially...

The vulnerability of the FortiOS operating system, related to the use of memory after it is freed, allows a hacker to cause a malfunction in the WAD process.

The vulnerability of the FortiOS operating system is related to the use of memory after it is freed. Exploiting this vulnerability allows a malicious actor to cause a malfunction of the WAD process using specially created packages...

CVE-2023-20013

Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. The attacker would need to have Administrator privileges on the affected device to exploit these vulnerabilities. These...

OESA-2023-1004 python-setuptools security update

Setuptools is a collection of enhancements to the Python distutils that allow you to more easily build and distribute Python packages, especially ones that have dependencies on other packages.This package contains a python wheel of setuptools to use with venv. Security Fixes: Python Packaging...

Design/Logic Flaw

Denial of Service DoS in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs...

CVE-2021-43890

We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker...

The vulnerability of the IBM DB2 database management system, related to uncontrolled resource consumption, allows a hacker to cause a service failure.

The vulnerability of the IBM DB2 database management system is related to an uncontrolled consumption of resources. Exploiting this vulnerability can allow a malicious actor to cause service interruptions by sending specially crafted packages...

apt input validation error vulnerability

apt is a command-line package manager from the Debian Project Collaboration that provides search, management, and query package information functionality. APT suffers from an input validation error vulnerability that stems from APT incorrectly processing certain software packages. A local attacke...

CVE-2020-16952

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint...

CVE-2020-1834

HUAWEI P30 and HUAWEI P30 Pro with versions earlier than 10.1.0.135C00E135R2P11 and versions earlier than 10.1.0.135C00E135R2P8 have an insufficient integrity check vulnerability. The system does not check certain software package's integrity sufficiently. Successful exploit could allow an attack...

The vulnerability of Microsoft SharePoint Server, SharePoint Foundation, and SharePoint Enterprise Server lies in the lack of restrictions on file downloads, which allows attackers to execute arbitrary code.

The vulnerability of Microsoft SharePoint Server, SharePoint Foundation, and SharePoint Enterprise Server lies in the lack of restrictions on file downloads. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by downloading a specially created SharePoint application...