201 matches found
Incomplete List of Disallowed Inputs
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the builtin allowlist handling in lib/builtin.js. An attacker can reach host code by requiring process and...
CVE-2026-42785
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...
EUVD-2026-31835
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...
CVE-2026-42785 OpenKM 6.3.12 Remote Code Execution via Administrative Scripting
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...
CVE-2026-42785
OpenKM 6.3.12 is affected by a remote code execution vulnerability exploitable by authenticated administrators via the /admin/Scripting endpoint. The issue allows submission of malicious script content with an action=Evaluate parameter to execute arbitrary Java/BeanShell code in the OpenKM applic...
CVE-2026-42785
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...
Malicious code in react-ui-polyfills (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63c43460df1ee670b8a5982d77e7028aef7df25fa38922f743489fd52b41b5ea Package advertises itself as React polyfills / UI compatibility helpers but ships no React or polyfill code. The exported getPlugin function returns ...
OpenKM 代码注入漏洞
OpenKM is a document management system developed by OpenKM Company in Spain. This system offers features such as version control, file history, and file sharing. Version OpenKM 6.3.12 has a code injection vulnerability. This vulnerability arises from allowing authenticated administrators to submi...
keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...
Astra Linux - уязвимость в node-babel
Babel is a compiler for writing JavaScript code. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4, as well as all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, especially...
Astra Linux - уязвимость в busybox
A use-after-free in Busybox’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function...
Astra Linux - уязвимость в linux-5.10
In the Linux kernel, the following vulnerability has been resolved: net: wwan: iosm: A memory leak has been fixed in the ipcpciereadbioscfg function. The ipcpciereadbioscfg function uses acpievaluatedsm to obtain the wwan power state configuration from the BIOS. However, it does not free the...
MAL-2026-4571 Malicious code in get-deps-path (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...
Unity Linux 20.1050e Security Update: kernel (UTSA-2026-021545)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021545 advisory. In the Linux kernel, the following vulnerability has been resolved: platform/x86: mxm-wmi: fix memleak in mxmwmicallmxds|mx The ACPI buffer memory out.pointer return...
CVE-2026-37978
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...
CVE-2026-37978
Keycloak CVE-2026-37978 involves an information disclosure via the evaluate-scopes Admin API. A low-privilege administrator with the 'view-clients' role can invoke evaluate-scopes using an arbitrary userId, enabling cross-role PII leakage across the realm. The vulnerability is exploitable remotel...
EUVD-2026-30882
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...
CVE-2026-37978
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...
CVE-2026-37978 Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...
CVE-2026-37978 Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...