302015 matches found
CVE-2026-24180
NVIDIA DALI contains a vulnerability in a component where an attacker could cause a heap-based buffer overflow. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure...
CVE-2026-53742
CVE-2026-53742 affects the WordPress plugin Simple Link Directory up to version 9.0.4. The issue is a Stored XSS via embed shortcode attributes: the embedder template echoes shortcode attributes into HTML data attributes without escaping. Attackers with contributor access can craft a shortcode at...
CVE-2026-53742 Simple Link Directory through 9.0.4 Stored XSS via Embed Shortcode Attributes
Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser...
CVE-2026-53737 Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...
CVE-2026-53737 Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...
CVE-2026-48107 Russh: Unchecked keyboard-interactive prompt count in client auth path
Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTHINFOREQUEST with an attacker-controlled prompt count, and the client would use that raw count direct...
CVE-2026-42462 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...
CVE-2026-42462 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...
CVE-2026-42462
CVE-2026-42462 describes an LD-Signature bypass in Fedify caused by JSON-LD named-graph restructuring. The issue allows an attacker to reorganize a signed JSON-LD payload (via features like @graph, @reverse, @included) in a way that changes how the signed ActivityPub activity is interpreted witho...
EUVD-2026-36127
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...
MAL-2026-5531 Malicious code in telegramlite (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 be464abbf0e3f375f4865ac2802a6b6d96e7af1ce30984d84f464470cdef17dd Package exfiltrates data from the Telegram application to a remote location, effectively collecting Telegram sessions. --- Category: MALICIOUS - The campaign h...
Malicious code in telegramlite (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 be464abbf0e3f375f4865ac2802a6b6d96e7af1ce30984d84f464470cdef17dd Package exfiltrates data from the Telegram application to a remote location, effectively collecting Telegram sessions. --- Category: MALICIOUS - The campaign h...
Malicious code in websocket-slot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6 On npm install, this package runs node test.js via scripts.postinstall, which executes the logic in index.js. The postinstall behavior performs three...
Exploit for CVE-2026-9067
POC & Xploit - Proof of Concept Directory Dokumentasi dan exp...
Malicious code in @access-risk/browser-remedy-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0de4bc9f19feea718e091e9b0a480e9b939cdffa88109375020895c99efa489c On npm install, postinstall.js executes automatically and collects host identity and environment details using os.hostname, process.cwd, and filesyst...
MAL-2026-5520 Malicious code in @access-risk/browser-remedy-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0de4bc9f19feea718e091e9b0a480e9b939cdffa88109375020895c99efa489c On npm install, postinstall.js executes automatically and collects host identity and environment details using os.hostname, process.cwd, and filesyst...
Malicious code in @helpcentre/tesco-help (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eb75510e87a08a5152331461c2b2b955ad21d418c8d2055f5f66ec15e22cf042 On npm install, the postinstall hook runs node index.js, which performs an HTTPS POST to https://f1ackavab3.execute-api.eu-west-2.amazonaws.com/...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in . If SharedIteratorCache and ListObjectsIteratorCache are enabled, a user can influence authorization decisions by sending malicious requests that trigger cache key collisions, causing t...
CVE-2026-20257
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrate...
CVE-2026-20255
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that...