6 matches found
Malicious code in nhmpy (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 34db1950ee9bdf9c75ae9bb2436085bbb443107321d8d7056a0bf3b8fae36978 The package is published as 'nhmpy' on PyPI but its contents are a verbatim copy of NumPy 2.4.6: the same source tree, docstrings, and license files...
Malicious code in pantheon-agents (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ee06d7aabbdf76969119c2f986e18bbc7f0dcac59ae9cae4f7a04798f2d083d The package installs pantheonagents-setup.pth into site-packages, which Python auto-executes at every interpreter startup broader than import-time,...
MAL-2026-5314 Malicious code in embiggen (PyPI)
The package embiggen version 0.11.97 contains a malicious .pth file embiggen-setup.pth that executes a Bun-based credential stealer on every Python startup via CPython's site.py exec mechanism. The payload downloads the Bun runtime from the official GitHub release page, then runs an obfuscated...
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}
Summary Type: Authorization bypass enabling destructive action. The DELETE /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project,...
PT-2026-45485
Summary Type: Authorization bypass enabling destructive action. The DELETE /workspaces/workspace id endpoint is gated only by require workspace memberworkspace id default min role="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project...
Cross-site Request Forgery (CSRF)
CloudForms Management Engine is vulnerable to cross-site request forgery CSRF. A remote attacker is able to bypass the Ruby on Rails protectfromforgery mechanism by sending a GET request for a destructive action...