Malicious code in pewter-constantstest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 050b19d8dad7c8c1a626c953493c23b375e434128f38950625f82b0fb244eabe On npm install, the preinstall script callback.js collects the installer's hostname, OS username, current working directory, npm registry...

Malicious code in pewter-constants (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5 On npm install, a preinstall hook in callback.js collects os.hostname, os.userInfo.username, process.cwd, the configured npm registry...

Malicious code in dds-js-idl-types (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68e8941c301603919022f1d67d311d576d5d5efcac7ed7cb0d3526cb71e829d6 On npm install, the package's postinstall.js runs whoami and reads os.hostname, os.platform, the current working directory, and CI-related environmen...

Malicious code in orca-website (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c52f7fe46d56cb45880942f5266494a2654d9d330914a6c3c99f02045eacd1dc On require/import, index.js collects host identifiers os.hostname, os.userInfo.username, os.platform, os.arch, process.cwd, process.pid, timestamp an...

rtmutex: Use waiter::task instead of current in remove_waiter()

...

CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

CVE-2026-43499

In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in removewaiter removewaiter is used by the slowlock paths, but it is also used for proxy-lock rollback in rtmutexstartproxylock when invoked from futexrequeue. In the latter case...

[slackware-security] bind

New bind packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/bind-9.18.49-i586-1slack15.0.txz: Upgraded. This update fixes security issues: Fix outgoing zone transfers' quota issue. Limit resolver...

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions prior to Concrete CMS 9.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the User Profile Editing controller, which passed the entire original POST array to UserInfo::update...

MAL-2026-4569 Malicious code in gator-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1925735d02fb91f74a11718c3402ad0b10f551eecb8c6d88f02d475b3e0a799f On npm install via scripts.install: node index.js and on every require'gator-client', lib/core.js collects os.userInfo.username, os.hostname, and the...

Malicious code in rendezvous-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b4a03eaa6b09e5b9e291dd450f58e49a639c3efd8fa952f5ac48f9aea04aba4 On npm install scripts.install runs node index.js and on require'rendezvous-js', lib/core.js collects os.userInfo.username, os.hostname, and the...

MAL-2026-4495 Malicious code in banana-stand (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720 On npm install, the package's install lifecycle hook runs node index.js, which loads lib/core.js. That module reads os.userInfo.username, os.hostname...

Astra Linux - уязвимость в exim4

Exim 4 before 4.94.2 allows out-of-bounds write-ups, because the main function, while having setuid root, copies the current working directory pathname into a buffer that is too small on some common platforms...

Astra Linux - уязвимость в sqlite

The osunix.c file in SQLite before version 3.13.0 improperly implements the temporary directory search algorithm. This may allow local users to obtain sensitive information, cause a denial of service application crash, or have unspecified other impacts by leveraging the current working directory...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: schedext: The deadlock caused by SCXKICKWAIT was fixed by deferring the wait until the target CPU’s kickSYNC progresses. The busy-waiting state in kickcpusirqworkfn uses smpCondLoadAcquire until the target CPU’s kickSYNC advances...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerability has been resolved: btrfs: Do not log conflicting inodes if it’s a directory that was moved during the current transaction. We cannot log an conflicting inode if it’s a directory that was moved from one parent directory to another parent directory...

CVE-2026-9010

The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'currenturl' and 'username' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes i...

CVE-2026-9010

The CVE concerns the Boost plugin for WordPress, affected through time-based SQL Injection in the plugin’s handling of the current_url and user_name parameters. Vulnerable in versions up to and including 2.0.3 due to insufficient escaping of user-supplied inputs and inadequate preparation of exis...

WordPress plugin Boost SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

[slackware-security] mozilla-firefox

New mozilla-firefox packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/mozilla-firefox-140.11.0esr-i686-1slack15.0.txz: Upgraded. This update contains security fixes and improvements. For more...