95 matches found
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-route53-fips, crossplane-provider-azure-servicebus, ollama-fips, crossplane-provider-aws-cloudfront-fips, argo-events-fips, consul-fips, cloud-provider-aws, crossplane-provider-azure-search, crossplane-provider-aws-cloudsearch-fips,...
GHSA-Q4H4-GMJ2-QVW2 vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-route53-fips, crossplane-provider-azure-servicebus, ollama-fips, crossplane-provider-aws-cloudfront-fips, argo-events-fips, consul-fips, cloud-provider-aws, crossplane-provider-azure-search, crossplane-provider-aws-cloudsearch-fips,...
Budibase has nonymous NoSQL operator injection via published-app query templates
Summary enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars...
MAL-2026-5945 Malicious code in @mastra/dynamodb (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2567710170942391d967675952bbdd9cd0f8d933cc39e4cf4460ca4c5b700097 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Malicious code in @mastra/dynamodb (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2567710170942391d967675952bbdd9cd0f8d933cc39e4cf4460ca4c5b700097 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
com.drobisch:flink-connector-elasticsearch-e2e-tests-common (>=4.0.0-serde-fixes <=4.0.5-fault-tolerant), com.drobisch:flink-connector-elasticsearch6-e2e-tests (>=4.0.0-serde-fixes <=4.0.5-fault-tolerant) +25 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-api-java (>=2.0.0 <=2.0.1)
org.apache.flink:flink-table-api-java MAVEN version =2.0.0, =4.0.0-serde-fixes, =4.0.0-serde-fixes, =4.0.0-serde-fixes, =26.0.0, =0.2.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1 and more Source cves: CVE-2026-35194 Source advisory: OSV:GHSA-2F54-V4HM-FX73...
CVE-2026-7191 Arbitrary Code Execution via Sandbox Bypass in the open source solution QnABot on AWS
Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Conten...
CVE-2026-7191 Arbitrary Code Execution via Sandbox Bypass in the open source solution QnABot on AWS
Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Conten...
CVE-2026-3992
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made...
EUVD-2026-11535
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made...
CVE-2026-3992
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made...
CVE-2026-3992 CodeGenieApp serverless-express Users Endpoint dynamodb.ts injection
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made...
CVE-2026-3992
CVE-2026-3992 affects CodeGenieApp serverless-express up to 4.17.1, targeting an unspecified area within utils/dynamodb.ts of the Users Endpoint. The issue arises from manipulation of the argument filter, causing an injection vulnerability that can be triggered remotely. Public exploit code is av...
CVE-2026-3992 CodeGenieApp serverless-express Users Endpoint dynamodb.ts injection
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made...
PT-2026-24927
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made...
Serverless Express 安全漏洞
Serverless Express is an open-source library from Code Genie that allows for running Node.js web applications in a serverless environment. Serverless Express versions 4.17.1 and earlier contain a security vulnerability. This vulnerability stems from incorrect handling of parameters in the file...
EUVD-2026-8642
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service...
GHSA-76RV-2R9V-C5M6 zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
Summary All rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing throttling that degrades service for that entity — and potentially co-located entities in...
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
Summary All rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing throttling that degrades service for that entity — and potentially co-located entities in...
CVE-2026-27695
zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing...