Linux Distros Unpatched Vulnerability : CVE-2026-44461

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable key...

CVE-2026-44461 Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

CVE-2026-44461 Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

CVE-2026-44461

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

PT-2026-44411

Name of the Vulnerable Software and Affected Versions Zed versions prior to 0.227.1 Description Zed builds SSH/WSL remote commands as a shell command string starting with exec env ..., where environment variable keys are inserted without shell quoting or validation. An attacker who can control an...

MAL-2026-2528 Malicious code in sjs-lint-build1 (npm)

sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2...

GHSA-98CH-45WP-CH47 OpenClaw: Windows-compatible env override keys could bypass system.run approval binding

Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. Impact An approved command could run with...

Improper Handling of Case Sensitivity

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to inconsistent normalization of environment override keys between approval binding and execution time. An attacker can inject unauthorized...

GO-2026-4901 nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui...

Protection Mechanism Failure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Protection Mechanism Failure due to inconsistent sanitization of host environment override keys in the host-env-security.ts process. An attacker can bypass environment policy restrictions...

Backstage 信息泄露漏洞

Backstage is an open-source application developed by Backstage. It serves as an open platform for building developer portals. Versions of Backstage prior to 3.1.5 contained a vulnerability related to information leakage. This vulnerability occurred because verified users with permission to conduc...

Malicious code in pino-sdk-v2 (npm)

Malware detected: Exfiltrates .env file keys to Discord webhook. Impersonates legit pino package with modified malicious package/lib/tools.js. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 093fa98258b33a735216506ea119532a3cc24c92359028b4bb1955d0b712951a The...

MAL-2026-1259 Malicious code in pino-sdk-v2 (npm)

Malware detected: Exfiltrates .env file keys to Discord webhook. Impersonates legit pino package with modified malicious package/lib/tools.js. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 093fa98258b33a735216506ea119532a3cc24c92359028b4bb1955d0b712951a The...

Information Disclosure

Hono is vulnerable to an Information Disclosure. The vulnerability is due to improper validation of user-controlled paths in the Serve Static Middleware for the Cloudflare Workers adapter, which allows an attacker to exploit path handling and read arbitrary keys from the Workers environment...

EUVD-2026-4751

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment...

Hono security vulnerability

Hono is a web framework built with TypeScript in the Hono community. Versions of Hono prior to 4.11.7 contained a security vulnerability. This vulnerability stemmed from a static service middleware in the Cloudflare Workers adapter, which allowed information leakage, potentially enabling attacker...

Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys

New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. Cybersecurity company...

Exploit for SQL Injection in Sqlalchemy

What Part A - Prereqs - hud cli - Docker Part A - Setu...

CVE-2024-43389

A low privileged remote attacker can perform configuration changes of the ospf service through OSPFINTERFACE.SIMPLEKEY, OSPFINTERFACE.DIGESTKEY environment variables which can lead to a DoS...