MAL-2026-4383 Malicious code in @dknzo/soonex-ai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 637d9821dd6061c21dfa483bdefec73cd6ddeb8ba6e1d9bd9653784de514e9b5 The package advertises itself as 'Internal core lifecycle utilities for Baileys socket connection' but its sole exported function...

OPENSUSE-SU-2026:20771-1 Security update for perl-YAML-Syck

This update for perl-YAML-Syck fixes the following issues: Changes in perl-YAML-Syck: - updated to 1.450.0 1.45 Bug Fixes - Fix: use syckbase64free to fix Windows "Free to wrong pool" crash in base64 encode/decode buffers; also plugs a memory leak PR 189 - Fix: clear type tag on blessed scalar...

CVE-2026-8959 Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component

Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11...

CVE-2026-8954

Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11...

CVE-2026-43493

In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAYBACKLOG requests MAYBACKLOG requests can return EBUSY. Handle them by checking for that value and filtering out EINPROGRESS notifications...

PT-2026-42031

Summary Unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST /api/v2/workspaceagents/azure-instance-identity. An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a...

PT-2026-41873

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The net: qrtr: ns component lacks bound checking on the number of servers added per node. A malicious client can exhaust memory by flooding the system with NEW SERVER messages. The issue...

Security updated provided in Brocade ASCG 3.4.0b for container-tools (CVE-2024-24785, CVE-2025-61729, CVE-2025-65637)

Security update provided in Brocade ASCG before ASCG 3.4.0b CVE-2024-24785 Title: Errors returned from JSON marshaling may break template escaping in html/template Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual...

GHSA-PQ7C-X8G4-RVP6 NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

Summary Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log...

SUSE CVE-2026-8388

Incorrect boundary conditions in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11...

PT-2026-41784

Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 Description OpenTelemetry eBPF Instrumentation exports raw Redis error text as the span status message. Because Redis error replies can contain sensitive values or attacker-controlled...

CVE-2026-8738

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the...

CVE-2026-8738

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the...

EUVD-2026-30688

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the...

CVE-2026-8738 Sanluan PublicCMS Trade Payment Flow TradeOrderController.java AccountGatewayComponent.pay logic error

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the...

CVE-2021-47959 WordPress Plugin WPGraphQL 1.3.5 Denial of Service

WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloa...

CVE-2021-47959

WPGraphQL 1.3.5 is affected by a DoS vulnerability: unauthenticated attackers can exhaust server resources by sending batched GraphQL queries with duplicated fields, potentially causing OOM conditions and MySQL connection errors. The provided documents do not include a confirmed patch version or ...

EUVD-2021-34814

WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloa...

CVE-2026-41181

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...

CVE-2026-41181

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...