Lucene search
+L

1025 matches found

ossf
ossf
added 4 days ago10 views

Malicious code in fast-dotenv (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da3250a4b69ccce49128d2e75ffb9e577746de4fb3afe0e0d242fbe5d094d02d The package presents itself as a.env loader but on load/config spawns a background thread that, after a 72–96 hour activation delay jittered by...

6.2AI score
Exploits0References6
ossf
ossf
added 4 days ago7 views

Malicious code in jupiter-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8e0901ca45da110106c60f288b0166fc51c348a44569d7e7ff22af3d19deafe On import jupitersdk, the package's top-level init.py fetches a payload over HTTPS from a public IPFS gateway...

6.6AI score
Exploits0References3
ossf
ossf
added 4 days ago6 views

Malicious code in eth-agent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3131490d64c4ae90de2926ca90f6fce23e6a113d1e6538db5ce98ffcf06983d1 The top-level ethagent/init.py performs an outbound HTTP fetch to a hardcoded IPFS gateway URL...

6.3AI score
Exploits0References3
ossf
ossf
added 4 days ago6 views

Malicious code in metemask-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a99855c93b46f7b996a005065c319bbb24c9d1f497d05dfd38fc83d1b21facdd metemask-sdk is a typosquat of the legitimate metamask-sdk package. On import, the top-level init.py performs an outbound HTTP fetch to...

6.3AI score
Exploits0References3
osv
osv
added 6 days ago63 views

ROOT-APP-PYPI-CVE-2026-28684 CVE-2026-28684 in rootio-python-dotenv - Patched by Root

Root has patched CVE-2026-28684 in the rootio-python-dotenv package for Root:PyPI. Multiple fixed versions available...

6.6CVSS5.2AI score0.00236EPSS
Exploits1
nvd
nvd
added 2026/07/08 5:17 p.m.11 views

CVE-2026-59261

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS0.00192EPSS
Exploits0References2
cvelist
cvelist
added 2026/07/08 4:1 p.m.35 views

CVE-2026-59261 OpenClaw < 2026.5.28 - Credential Override via Workspace Dotenv Files

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS0.00192EPSS
Exploits0References2
euvd
euvd
added 2026/07/08 4:1 p.m.5 views

EUVD-2026-42322

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS6AI score0.00192EPSS
Exploits0References2
cve
cve
added 2026/07/08 4:1 p.m.13 views

CVE-2026-59261

OpenClaw vulnerable before version 2026.5.28 due to a credential exposure where workspace dotenv files can override provider credentials. The issue allows attackers with lower-trust access to configured input paths to exfiltrate sensitive data and credentials meant for trusted boundaries. There i...

8.4CVSS6AI score0.00192EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/07/08 4:1 p.m.4 views

CVE-2026-59261 OpenClaw < 2026.5.28 - Credential Override via Workspace Dotenv Files

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS6.1AI score0.00192EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.9 views

PT-2026-56484

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.28 Description A credential exposure issue exists where workspace dotenv files can override provider credentials. This allows attackers with lower-trust access to configured input paths to expose sensitive dat...

8.4CVSS6.1AI score0.00192EPSS
Exploits0References8
osv
osv
added 2026/07/01 6:9 p.m.2 views

SUSE-SU-2026:2724-1 Security update for python-python-dotenv

This update for python-python-dotenv fixes the following issue: - CVE-2026-28684: follow symbolic links when rewriting .env files bsc1262423...

6.6CVSS6AI score0.00236EPSS
Exploits1References3
nvd
nvd
added 2026/06/23 6:18 p.m.10 views

CVE-2026-49983

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot...

5.2CVSS0.00098EPSS
Exploits0References1
cve
cve
added 2026/06/23 5:16 p.m.19 views

CVE-2026-49983

Summary of CVE-2026-49983 details (Deno): Deno’s process.loadEnvFile() incorrectly bypasses env permission checks. It only verifies read permission on the dotenv file and then writes all keys from the file into process.env, even if env access is denied. This means that with --allow-read and a wri...

5.2CVSS5.9AI score0.00098EPSS
Exploits0References1Affected Software1
osv
osv
added 2026/06/23 5:16 p.m.4 views

CVE-2026-49983 Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot...

5.2CVSS6AI score0.00098EPSS
Exploits0References3
osv
osv
added 2026/06/19 3:12 p.m.17 views

GHSA-JV2H-4P9V-WF5W ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys

Impact The CVE-2026-47211 fix 0.39.0 added UNTRUSTEDENVDENYLIST to stop an untrusted project-directory .env from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command...

8.6CVSS6.1AI score
Exploits0References2
github
github
added 2026/06/16 7:4 p.m.12 views

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Summary In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile the Node-compatible...

5.2CVSS5.4AI score0.00098EPSS
Exploits0References2Affected Software1
ptsecurity
ptsecurity
added 2026/06/16 12:0 a.m.17 views

PT-2026-50155

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description Environment access is managed by the env permission, which can be restricted via --deny-env or an allowlist using --allow-env=FOO,BAR. The process.loadEnvFile function, a Node-compatible API for loading...

5.2CVSS5.8AI score0.00098EPSS
Exploits0References6
opensuse
opensuse
added 2026/06/15 12:0 a.m.5 views

Security update for python-python-dotenv (moderate)

openSUSE security update: security update for python-python-dotenv ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20952-1 Rating: moderate References: bsc1262423 Cross-References: CVE-2026-28684 CVSS scores: CVE-2026-28684 SUSE : 6.6...

6.6CVSS6.7AI score0.00236EPSS
Exploits1References1
snyk
snyk
added 2026/06/12 3:0 p.m.14 views

Malicious Package

Overview web-dotenv is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Rows per page
Query Builder