MAL-2026-5704 Malicious code in friendly-greeter-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab72d8364f58d27c6ba37063af62500b494b2fcb8961c1a2b40ed1d2feabdcfe friendly-greeter-demo ships two independent remote-code-execution channels that activate automatically. postinstall.js runs on npm install and...

EUVD-2026-35401

TYPO3 CMS has Insecure Deserialization via Core API...

GHSA-C78M-C52X-JGWP TYPO3 CMS has Insecure Deserialization via Core API

Problem TYPO3's cache frontend VariableFrontend and persistent key-value store Registry deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend cache store or sysregistry database table could inject a crafted...

Malicious code in theta-connector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...

MAL-2026-5705 Malicious code in theta-connector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...

Malicious code in theta-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...

MAL-2026-5706 Malicious code in theta-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...

Paperclip AI RCE using a chain of six API calls (CVE-2026-41679).

Paperclip is the operating system for your AI company. You set the goals, hire AI agents as employees, and watch them plan and execute work. Prior to version 2026.410.0, Paperclip allows for an unauthenticated RCE, tracked as CVE-2026-41679. An unauthenticated attacker can achieve full remote cod...

Security Bulletin: Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API

Summary IBM Langflow Desktop contains a critical vulnerability in its v2 API file handling mechanism where the POST /api/v2/files/ endpoint improperly processes multipart upload filenames without sanitization, allowing path traversal and arbitrary file write outside intended directories; this fla...

CVE-2026-42890 actual Allows Electron to Run As Node

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

[SECURITY] [DSA 6343-1] librabbitmq security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6343-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 12, 2026 https://www.debian.org/security/faq -...

[SECURITY] [DSA 6342-1] jpeg-xl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6342-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 12, 2026 https://www.debian.org/security/faq -...

CVE-2026-12043 Heap double-free in AWS Common Runtime aws-c-http

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...

CVE-2026-12043 Heap double-free in AWS Common Runtime aws-c-http

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...

CVE-2026-12043

CVE-2026-12043 affects the AWS Common Runtime aws-c-http library due to improper handling of HPACK dynamic table size updates, which can cause memory corruption on a connecting client via a crafted sequence of HTTP/2 HEADERS frames. The vulnerability could lead to arbitrary code execution on vuln...

EUVD-2026-36541

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...

GHSA-7QMG-GRCP-QF25 GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page

Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to t...

GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page

Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to t...

CVE-2026-48163

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. No...

CVE-2026-47965

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...