Malicious code in screenpipe-mcp-http (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790 [email protected] is a dependency-confusion lure that beacons installer-identifying data to an attacker-controlled domain on npm install...

MAL-2026-5400 Malicious code in multica (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2 Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively require...

Malicious code in multica (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2 Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively require...

Malicious code in create-docs-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...

Malicious code in t-invest-mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...

MAL-2026-5403 Malicious code in t-invest-mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46c186ac158f68845fc995a94d15d44c2b65a521d2619d2850232e58f4a61419 Package is a dependency-confusion squat: package.json sets version 9999.99.99 the canonical max-version trick used to win resolution against any...

CVE-2026-45446 Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes

Issue summary: The implementations of AES-SIV RFC 5297 and AES-GCM-SIV RFC 8452 mishandle the authentication of AAD Additional Authenticated Data with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's...

CVE-2026-45446

CVE-2026-45446 concerns OpenSSL implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452). The root cause is that the expected authentication tag is computed only when the decryption function processes non-empty data; if a caller provides AAD and then invokes DecryptFinal without any ciphe...

CVE-2026-45446 Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes

Issue summary: The implementations of AES-SIV RFC 5297 and AES-GCM-SIV RFC 8452 mishandle the authentication of AAD Additional Authenticated Data with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's...

CVE-2026-45446

Issue summary: The implementations of AES-SIV RFC 5297 and AES-GCM-SIV RFC 8452 mishandle the authentication of AAD Additional Authenticated Data with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's...

CVE-2026-34182 CMS AuthEnvelopedData Processing May Accept Forged Messages

Issue Summary: Cryptographic Message Services CMS processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve...

CVE-2026-34182

Issue Summary: Cryptographic Message Services CMS processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve...

CVE-2026-34182

CVE-2026-34182 describes a vulnerability in CMS AuthEnvelopedData processing in OpenSSL where insufficient input validation on cipher and tag length can allow forged or manipulated messages. Attack scenarios include selecting non-AEAD ciphers (e.g., AES-256-OFB) that bypasses integrity checks and...

CVE-2026-9076 Out-of-Bounds Read in CMS Password-Based Decryption

Issue summary: When CMS password-based decryption RFC 3211 / PWRI key unwrap processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kekunwrapkey. Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of...

Malicious code in kecak256 (npm)

kecak256 is a typosquat of the popular keccak256 package one c dropped that ships a credential-stealing payload executed automatically on install. The package spoofs the legitimate keccak256 project — author "Miguel Mota", matching description, README, and keywords — and includes a benign decoy...

MAL-2026-5342 Malicious code in kecak256 (npm)

kecak256 is a typosquat of the popular keccak256 package one c dropped that ships a credential-stealing payload executed automatically on install. The package spoofs the legitimate keccak256 project — author "Miguel Mota", matching description, README, and keywords — and includes a benign decoy...

Malicious code in progerss-cli (npm)

progerss-cli is a typosquat of the popular cli-progress package that ships an obfuscated payload executed automatically on install. The package borrows trust from its victim: repository.url is set to https://github.com/npkgz/cli-progress — the legitimate cli-progress project's own repository — an...

MAL-2026-5343 Malicious code in progerss-cli (npm)

progerss-cli is a typosquat of the popular cli-progress package that ships an obfuscated payload executed automatically on install. The package borrows trust from its victim: repository.url is set to https://github.com/npkgz/cli-progress — the legitimate cli-progress project's own repository — an...

CVE-2026-8045

CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints...

CVE-2026-8045

CVE-2026-8045 describes a CWE-611 XML External Entity (XXE) vulnerability in a SOAP service endpoint that can disclose server-side file contents when a crafted XML payload is submitted by a Data Center Expert user. The affected behavior involves parsing user-supplied XML leading to information di...