Malicious code in @wame/ngx-adfs (npm)

Malicious package due to hex obfuscation, dynamic module loading, process access, suspicious install script, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee67ae68f066d11c3e0625e260c588df3d43384ae91fe74292977ea5304684d9 The package...

MAL-2026-2416 Malicious code in oc-ccp-module-client (npm)

Malware due to hex obfuscation, suspicious install script, dynamic module loading, OS command access, process object access, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2b4b9cee1369c441aa8d759bc04085a8e2b14786df20656a8c6bc249e6260...

CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__)

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution RCE on the backend server by embedding a disabled block inside a graph. The...

CVE-2026-22807

Vulnerability CVE-2026-22807 affects vLLM versions prior to 0.14.0, where during model resolution the engine loads Hugging Face auto_map dynamic modules without gating on trust_remote_code. This allows attacker-controlled Python code in a model repo or path to execute at server startup, before an...

CVE-2026-22807 vLLM affected by RCE via auto_map dynamic module loading during model initialization

vLLM is an inference and serving engine for large language models LLMs. Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face automap dynamic modules during model resolution without gating on trustremotecode, allowing attacker-controlled Python code in a model repo/path ...

vLLM affected by RCE via auto_map dynamic module loading during model initialization

Summary vLLM loads Hugging Face automap dynamic modules during model resolution without gating on trustremotecode, allowing attacker-controlled Python code in a model repo/path to execute at server startup. --- Impact An attacker who can influence the model repo/path local directory or remote...

EUVD-2025-200115

vLLM vulnerable to remote code execution via transformersutils/getconfig...

Use of Incorrectly-Resolved Name or Reference

Overview strands-agents is an A model-driven approach to building AI agents in just a few lines of code Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via dynamic tool module registration in ToolLoader. The loadtoolsfromfilepath and loadpythontoo...

PT-2025-48580

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.11.1 Description vLLM is an inference and serving engine for large language models LLMs. A critical issue exists in the Nemotron Nano VL Config class where remote code execution can occur. When vLLM loads a model...

EUVD-2021-23358

Malware in sbrugna...

EUVD-2023-25791

Malicious code in bioql PyPI...

MAL-2025-7936 Malicious code in @fm-plugin/dynamic-module-provider (npm)

The package @fm-plugin/dynamic-module-provider was found to contain malicious code...

Malicious code in @fm-plugin/dynamic-module-provider (npm)

The package @fm-plugin/dynamic-module-provider was found to contain malicious code...

Regular Expression Denial of Service (ReDoS)

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the getimports function in dynamicmoduleutils.py. An attacker can cause excessive resource consumption by...

Hugging Face Transformers 安全漏洞

Hugging Face Transformers is Hugging Face's open source advanced natural language processing for Jax, PyTorch and TensorFlow. A security vulnerability exists in Hugging Face Transformers version 4.49.0, which stems from insufficient regular expression complexity in the getimports function in...

CVE-2023-21624

Information disclosure in DSP Services while loading dynamic module...

CVE-2023-21624

Information disclosure in DSP Services while loading dynamic module...

Information disclosure

Information disclosure in DSP Services while loading dynamic module...

CVE-2023-21624

CVE-2023-21624 is an information-disclosure vulnerability in DSP Services triggered when loading a dynamic module. The issue is documented for Qualcomm components (closed-source) and is referenced in the Android Pixel bulletin as affecting Qualcomm chipsets; affected products include Qualcomm DSP...

Qualcomm Chipsets 安全漏洞

Qualcomm Chipsets are a family of chipsets from Qualcomm Incorporated USA. A security vulnerability exists in Qualcomm Chipsets that originates from information disclosure in the DSP service when loading dynamic modules. The following products and versions are affected: FastConnect 6700,...