Malicious code in crossmint-wallets-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dd4caebfba35b43bf10f156fe687f455e95b09a514b8644fe1a900b63f1bf78a Package name impersonates the Crossmint wallet SDK family. Both preinstall.js and index.js import childprocess, capture host identifiers hostname is...

boxmoe-dove-sqli-cve

CVE-2026-XXXXX Unauthenticated SQL Injection in Boxmoe Dov...

CVE-2026-53185

A flaw was found in the Linux kernel, specifically within the zram module. This vulnerability is a use-after-free error, where the system attempts to use a piece of memory after it has been freed. This occurs when the zrambvecwritepartial function allows an asynchronous read to write into a page...

sakura-theme-sqli-cve

CVE-2026-XXXXX Unauthenticated SQL Injection in Sakura Wor...

Malicious code in chai-as-persisted (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709 The package's postinstall script npm run smoke:pino executes index.js, which spawns a detached node lib/initializeCaller.js child. That module hides...

MAL-2026-6544 Malicious code in chai-as-persisted (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709 The package's postinstall script npm run smoke:pino executes index.js, which spawns a detached node lib/initializeCaller.js child. That module hides...

CVE-2026-13335

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpmpoint' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-13333

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'queryselect' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2026-11356

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menutitle' and 'menumagnifiercolor' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for...

SUSE CVE-2026-6658

A vulnerability in jupyter/nbconvert versions tag. This vulnerability impacts any server using nbconvert to render notebooks as HTML, allowing attackers to execute arbitrary JavaScript in the context of users viewing the HTML export...

SUSE CVE-2026-13006

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.35 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

SUSE CVE-2026-13218

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causin...

SUSE CVE-2026-13283

Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

SUSE CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

SUSE CVE-2026-13318

A server-side request forgery SSRF flaw was found in KubeVirt's virt-api port-forward handler. When processing a port-forward request to a VirtualMachineInstance VMI, virt-api reads the target IP from vmi.Status.Interfaces0.IP and passes it directly to net.Dial without validation. For VMIs using...

SUSE CVE-2026-47770

jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion uncontrolled recursion. The crash occurs in jq's recursive...

SUSE CVE-2026-52974

In the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tlssetdeviceoffloadrx fails at tlsdevadd, the error path calls tlsswfreeresourcesrx to clean up the SW context that was initialized by tlssetswoffload. This...

SUSE CVE-2026-52981

In the Linux kernel, the following vulnerability has been resolved: neigh: let neighxmit take skb ownership neighxmit always releases the skb, except when no neighbour table is found. But even the first added user of neighxmit mpls relied on neighxmit to release the skb or queue it for tx. sashik...

SUSE CVE-2026-52986

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntracksip: don't use simplestrtoul Replace unsafe port parsing in epaddrlen, ctsipparseheaderuri, and ctsipparserequest with a new sipparseport helper that validates each digit against the buffer limit, eliminatin...

SUSE CVE-2026-52987

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drmexecfini in userq validate When newaddition is true, amdgpuuserqvmvalidate calls drmexecfini&exec before iterating over the collected HMM ranges and calling amdgputtmttgetuserpages. If...