CVE-2026-11834 Unauthenticated Command Injection via DHCP Option Handling in Multiple TP-Link Routers

A command injection vulnerability has been identified in the DHCP option processing logic in multiple TP-Link router models, due to insufficient validation of externally supplied DHCP option data. An adjacent attacker may exploit this vulnerability by supplying crafted DHCP responses, potentially...

TOTOLINK EX1200T 4.1.2cu.5215 - Authentication Bypass

TOTOLINK EX1200T 4.1.2cu.5215 is susceptible to authentication bypass. An attacker can bypass login by sending a specific request through formLoginAuth.htm, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2021-42887 info:...

Malicious code in @mastra/ai-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b23e19b24d58761bd64000978f4e6b11335a7ebd4fe1f7bfabb33ce050255a8f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5854 Malicious code in tailwind-typography-style (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b5b1eea6bfed81a0e57b9af519c45155347e3937a20dc8ef4e9ab1cae6ff73d The package impersonates @tailwindcss/typography by name and ships a verbatim copy of tailwindlabs/tailwindcss-typography's src/ tree index.js,...

MAL-2026-5774 Malicious code in um4r719-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 53f1c2a49e2308c20e21386b89c058c6acba9105dc484912cb141d7e8a1881b5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @coterie-baby/common (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fb0f46407e3ad7d060630b7aec9ce77a68f41c3a9fd3678941d6d43ca78b68a6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5658 Malicious code in @marketplace-shared/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 98933a5f467c2a623815ed46e5baf6838ba6e86e8055b48d4941da3bf59e5c41 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in polymarket-clob-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a40eb434e89ad381733b42cb87bd88d0da0913520a210fd4f6da175e1a115f9f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-8913

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when...

EUVD-2026-35455

A vulnerability in the affected NETGEAR gaming routers allows attackers with the ability to intercept and tamper traffic between the router and the Internet, to execute code on the device...

MAL-2026-5405 Malicious code in comos-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ee12368f5942eae69ed49370445277dace5431f4ded5556b51dcd1ef34bd4b4a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-8913

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when...

EUVD-2026-35176

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when...

PT-2026-47442

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when...

CVE-2026-5777

This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge ADB service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading...

CVE-2026-6947

DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device...

MAL-2026-5077 Malicious code in puppeteer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware abb5e0ca28fe73f218eea4bcbf584520cc1618dbc617326c9036f4de5b9a85c9 Withdrawn Advisory This advisory has been withdrawn because the malicious package detection was a false positive. This link is maintained to preserve...

MAL-2026-5085 Malicious code in web3-config-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dc426e6e28603268949be1817881f2269e7b0464c0fd513690f2f77b6637a719 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-9037

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the...

Malicious code in @service-user-notifications/reset_notifications_not_removable (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4d12701905c6e59f7189850ce7624f64dfcf3201ff6505294ff2030f1f9e147a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...