Lucene search
K

18 matches found

Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.21 views

PT-2026-49759

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.2 Description An environment variable injection exists where workspace .env files can influence the Python runtime selection during Gmail setup gcloud execution. Attackers with repository access can manipulate...

7.1CVSS5.8AI score0.00133EPSS
Exploits0References5
CVE
CVE
added 2026/05/27 5:22 p.m.25 views

CVE-2026-44346

CVE-2026-44346 affects BentoML. A malicious bentofile.yaml with a newline-injected value in envs[*].name yields unquoted RUN directives in the BentoML-generated Dockerfile, causing those RUN commands to run on the host during docker build when running bentoml containerize. The issue stems from un...

8.8CVSS5.9AI score0.00321EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/11 2:27 p.m.11 views

GHSA-W2PM-X38X-JP44 Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)

BentoML envs.name Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043 A malicious bentofile.yaml containing a newline-injected value in envs.name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported...

8.8CVSS6AI score0.00321EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/05/11 2:27 p.m.11 views

Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)

BentoML envs.name Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043 A malicious bentofile.yaml containing a newline-injected value in envs.name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported...

8.8CVSS6AI score0.00321EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.23 views

PT-2026-39664

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.39 Description BentoML is a Python library used for building online serving systems optimized for AI applications and model inference. A flaw exists where a malicious bentofile.yaml file containing a...

8.8CVSS5.8AI score0.00321EPSS
Exploits1References7
OSV
OSV
added 2026/04/03 7:9 p.m.5 views

MAL-2026-2466 Malicious code in strapi-plugin-hextest (npm)

strapi-plugin-hextest is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology...

6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.5 views

PT-2026-20564

Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export A command injection vulnerability exists in aquasecurity/trivy-action due to improper handling of action inputs when exporting environment variables. The action writes export VAR= lines to trivy envs.txt...

5.9CVSS6.1AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.11 views

PT-2026-20567

Name of the Vulnerable Software and Affected Versions aquasecurity/trivy-action versions 0.31.0 through 0.33.1 Description A command injection issue exists in aquasecurity/trivy-action due to insufficient handling of action inputs when exporting environment variables. The action creates export VA...

5.9CVSS5.9AI score0.01298EPSS
Exploits0References9
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/24 10:32 p.m.6 views

Malicious code in gulp-inject-envs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d230a528331dc71aa1fa5cb1d9fd8146d79d7e92f3aae2efd2ce7c177640b337 The package gulp-inject-envs was found to contain malicious code. Source: ghsa-malware 5dafa09839ea07c586670ac1a302805fb65ffaf32d1641dcab2be569a68231...

6.9AI score
Exploits0References4
EUVD
EUVD
added 2025/11/24 10:32 p.m.5 views

EUVD-2025-199149

Malicious code in gulp-inject-envs npm...

6.6AI score
Exploits0References1
OSV
OSV
added 2025/11/24 10:32 p.m.3 views

MAL-2025-191105 Malicious code in gulp-inject-envs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d230a528331dc71aa1fa5cb1d9fd8146d79d7e92f3aae2efd2ce7c177640b337 The package gulp-inject-envs was found to contain malicious code. Source: ghsa-malware 5dafa09839ea07c586670ac1a302805fb65ffaf32d1641dcab2be569a68231...

6.8AI score
Exploits0References4
vulnersOsv
vulnersOsv
added 2025/11/24 4:24 p.m.7 views

ff-build (>=2.4.0 <=2.6.1) potentially affected by unknown CVE via gulp-inject-envs (=1.2.0)

gulp-inject-envs NPM version =1.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on gulp-inject-envs and may be impacted: - ff-build =2.4.0, =2.6.1 Source cves: unknown CVE Source advisory: SNYK:JS-GULPINJECTENVS-14103633...

5.8AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/09/25 4:7 a.m.5 views

Malicious code in envs-loader (npm)

The package envs-loader was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 94802ccdee601e77ff6361593b03ef5b414dec7eaeccd58d8ed6b2305886b27d Any computer that has this package installed or running should be considered fully...

6.9AI score
Exploits0References1
OSV
OSV
added 2025/09/25 4:7 a.m.4 views

MAL-2025-47553 Malicious code in envs-loader (npm)

The package envs-loader was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 94802ccdee601e77ff6361593b03ef5b414dec7eaeccd58d8ed6b2305886b27d Any computer that has this package installed or running should be considered fully...

6.9AI score
Exploits0References1
Snyk
Snyk
added 2025/09/25 4:7 a.m.3 views

Malicious Package

Overview envs-loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS6.8AI score
Exploits0References2
OSV
OSV
added 2025/06/20 10:50 a.m.2 views

MAL-2025-5193 Malicious code in envs-validator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14d66a16720127b714fd0b4972d056bd66309e46b1cbf745656b742fe3bc33f3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/06/20 10:50 a.m.3 views

Malicious code in envs-validator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 14d66a16720127b714fd0b4972d056bd66309e46b1cbf745656b742fe3bc33f3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
seebug.org
seebug.org
added 2006/10/28 12:0 a.m.17 views

Solaris Runtime Linker (ld.so.1) Buffer Overflow Exploit (SPARC version

No description provided by source. / ld.so.1 exploit SPARC coded by: osker178 bjr213 psu.edu Alright, so this exploits a fairly standard buffer overflow in the default Solaris runtime linker ld.so.1 discovery by Jouko Pynnonen Only real deviation here from the standard overflow and return into li...

7.1AI score
Exploits0
Rows per page
Query Builder