MAL-2026-6220 Malicious code in chai-as-uphelded (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa7f5470790594e55393048fee0e7a9e6e6650776a06717258e410292d4dc8a9 Package name impersonates the popular chai-as-promised library, but its package.json description and keywords masquerade as a pino-style logger and a...

Astra Linux – Vulnerability in node-babel

Babel is a compiler for writing JavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4, as well as all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, especially when...

Malicious code in self-certificate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a2141f4facbd3abc437287c86971f1b3bb6795fad75990624f735b72139167d The package advertises itself as a self-signed certificate generator, but its main module index.js contains a loadSampleCertificate routine that read...

CVE-2026-6652

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote...

CVE-2026-5739

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be execute...

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the builtin allowlist handling in lib/builtin.js. An attacker can reach host code by requiring process and...

CVE-2026-42785

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...

CVE-2026-42785

OpenKM 6.3.12 is affected by a remote code execution vulnerability exploitable by authenticated administrators via the /admin/Scripting endpoint. The issue allows submission of malicious script content with an action=Evaluate parameter to execute arbitrary Java/BeanShell code in the OpenKM applic...

CVE-2026-42785

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...

CVE-2026-42785 OpenKM 6.3.12 Remote Code Execution via Administrative Scripting

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...

EUVD-2026-31835

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...

Malicious code in react-ui-polyfills (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63c43460df1ee670b8a5982d77e7028aef7df25fa38922f743489fd52b41b5ea Package advertises itself as React polyfills / UI compatibility helpers but ships no React or polyfill code. The exported getPlugin function returns ...

OpenKM 代码注入漏洞

OpenKM is a document management system developed by OpenKM Company in Spain. This system offers features such as version control, file history, and file sharing. Version OpenKM 6.3.12 has a code injection vulnerability. This vulnerability arises from allowing authenticated administrators to submi...

aana (>=0.2.1 <=0.2.2), ace-step (=0.1.0) +234 more potentially affected by CVE-2026-45804 via diffusers (>=0.10.2 <=0.37.1)

diffusers PYPI version =0.10.2, =0.2.1, =1.8.20, =1.9.0, =0.0.0, =0.2.2, =0.0.2, =0.0.0, =0.1.0, =0.6.37, =0.0.4, =0.1.0, =0.1.0, =0.5.0 and more Source cves: CVE-2026-45804 Source advisory: SNYK:PYTHON-DIFFUSERS-16787358...

keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Platform/x86: mxm-wmi: fixed a memory leak in the mxmwmicallmxds|mx function. The ACPI buffer memory out.pointer returned by wmievaluatemethod is not freed after the call, resulting in a memory leak. This issue occurs because the...

MAL-2026-4571 Malicious code in get-deps-path (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-021545)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021545 advisory. In the Linux kernel, the following vulnerability has been resolved: platform/x86: mxm-wmi: fix memleak in mxmwmicallmxds|mx The ACPI buffer memory out.pointer return...

GHSA-RRV7-3MQF-HXFR Keycloak: Information Disclosure via evaluate-scopes Admin API

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

Keycloak: Information Disclosure via evaluate-scopes Admin API

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...