MAL-2026-6522 Malicious code in @epsteinlovekids483/crossmint-wallets-sdk-pentest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e43e5a418541bb3e485010eba536ecc9f1483dba866af53ff4a760684409213 Package's main entry dist/index.cjs unconditionally requires dist/shai-hulud.js at module load. On require, the code harvests installer secrets —...

Security update for python, python-base, python-doc

This update for python, python-base, python-doc fixes the following issues Security fixes: CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. CVE-2026-3219: pip doesn't reject concatenated ZIP...

SUSE-SU-2026:2664-1 Security update for python, python-base, python-doc

This update for python, python-base, python-doc fixes the following issues Security fixes: - CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. - CVE-2026-3219: pip doesn't reject concatenated ZIP...

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Use after free in Microsoft Edge Chromium-based allows an authorized attacker to execute code over a network...

Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 CVSS 8.5, the bug sat in...

WordPress TemplateSpare plugin <= 4.2.0 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin TemplateSpare versions = 4.2.0...

CVE-2026-53914

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata...

EUVD-2026-39659

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata...

CVE-2026-53914

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata...

CVE-2026-53914

CVE-2026-53914 affects JetBrains Kotlin prior to 2.4.20, where unsafe deserialization in the build cache metadata allows code execution. The NVD notes a high-severity, network-vector vulnerability with critical impact to confidentiality, integrity, and availability; local context in CVSS from CNA...

CVE-2026-53914

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata...

Exploit for Missing Authorization in Plane

CVE-2026-46558 Plane’s V2 asset subsystem trusted workspace sl...

Exploit for CVE-2026-34207

CVE-2026-34207 The SSRF filter checked hostname text, but the...

Malware steals Chrome session cookies to take over your accounts

An email attachment leads to the installation of a malicious Chrome extension. Researchers say it is part of a Windows backdoor delivered via a phishing email. The malware abuses Chrome Native Messaging to move control from the browser into the host system. Its most notable trick isn't the phishi...

Exploit for Authorization Bypass Through User-Controlled Key in Docmost

CVE-2026-34213 A low-privileged Docmost user could supply a vi...

Exploit for Cross-site Scripting in Docmost

CVE-2026-34212 Docmost accepted a javascript: URL inside an at...

CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management PDM and Product Lifecycle Management PLM software to its Known Exploited Vulnerabiliti...

CVE-2026-56370

An out-of-bounds access vulnerability exists in ImageMagick's ConnectedComponentsImage function. By passing malformed connected-components definitions through the CLI, an attacker can cause a denial of service or potentially execute arbitrary code. Mitigation Prevent the injection of malformed...

Malicious code in react-icon-svgs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ff5b9a03e2018642801f0a9d253297cf1eb8ce39a8af4152f31bcd045e4768d2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in rollup-plugin-polyfill-connect (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b21017bf70f3f7909beadfff916971711ef9d236ab81797b3bb53569034fa67c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...