4 matches found
CVE-2026-55792
Craft CMS is vulnerable in versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x due to dataUrl() being in the Twig sandbox allowlist. A control panel user with the utility:system-messages permission can embed a file-reading payload in system emails, causing the server to read targeted fi...
Malicious code in camelotlabs-core (npm)
Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...
GHSA-MH23-RW7F-V5PQ `time-sync` was removed from crates.io due to malicious code
The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...
Malicious code in import-license-checker (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 c41ca4c8119fa20f7f5915b34de59f879b77fedf237cbbf5a69e46ddbeded428 Package exfiltrates content of .env files to a remote target --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...