MAL-2026-5856 Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

Malicious code in flow-lending-sdk (npm)

Continuation of the flow/surf-lending DeFi cred-exfil campaign c1655. Sentinel-9.9.9 depconf squat; preinstall node index.js || true exfils env secrets mnemonic/private-key/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2. Companions bodega-sdk/flowdefi verified identical...

MAL-2026-5804 Malicious code in flow-lending-sdk (npm)

Continuation of the flow/surf-lending DeFi cred-exfil campaign c1655. Sentinel-9.9.9 depconf squat; preinstall node index.js || true exfils env secrets mnemonic/private-key/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2. Companions bodega-sdk/flowdefi verified identical...

MAL-2026-5746 Malicious code in xy-shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25 package.json wires both preinstall and postinstall to node callback.js, which auto-executes on npm install. callback.js collects username, uid/gid,...

CVE-2026-43899

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass RCE. While the patch correctly restricted...

CVE-2026-42140

The CVE covers the PlantUML Macro used in XWiki, where the vulnerability lies in the server parameter not being validated. Prior to version 2.4.1, an attacker can supply an arbitrary URL (including internal addresses) to the server parameter, causing the XWiki server to attempt to connect for ren...

Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS

kube-router Proxy Module Does Not Validate ExternalIPs or LoadBalancer IPs Against Configured Ranges Summary This issue primarily affects multi-tenant clusters where untrusted users are granted namespace-scoped permissions to create or modify Services. Single-tenant clusters or clusters where all...

Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient...

GHSA-JJ37-3377-M6VV Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient...

UBUNTU-CVE-2025-13033

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the emai...

CVE-2025-13033

The CVE-2025-13033 entry concerns Nodemailer’s email parsing library. A flaw in handling specially formatted recipient addresses allows an attacker to craft a recipient that embeds an external address within quotes, causing misdirection of mail to the attacker’s external address rather than the i...

CVE-2025-13033 Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the emai...

EUVD-2025-19462

Malicious code in bioql PyPI...

CVE-2025-6829

A vulnerability was found in aaluoxiang oasystem up to c3a08168c144f27256a90838492c713f55f1b207 and classified as critical. This issue affects the function outAddress of the component External Address Book Handler. The manipulation leads to sql injection. The attack may be initiated remotely. Thi...

CVE-2025-6829

A vulnerability was found in aaluoxiang oasystem up to c3a08168c144f27256a90838492c713f55f1b207 and classified as critical. This issue affects the function outAddress of the component External Address Book Handler. The manipulation leads to sql injection. The attack may be initiated remotely. Thi...

CVE-2025-6829 aaluoxiang oa_system External Address Book outAddress sql injection

A vulnerability was found in aaluoxiang oasystem up to c3a08168c144f27256a90838492c713f55f1b207 and classified as critical. This issue affects the function outAddress of the component External Address Book Handler. The manipulation leads to sql injection. The attack may be initiated remotely. Thi...

CVE-2025-6829 aaluoxiang oa_system External Address Book outAddress sql injection

A vulnerability was found in aaluoxiang oasystem up to c3a08168c144f27256a90838492c713f55f1b207 and classified as critical. This issue affects the function outAddress of the component External Address Book Handler. The manipulation leads to sql injection. The attack may be initiated remotely. Thi...

CVE-2025-6829

CVE-2025-6829 affects aaluoxiang oa_system (up to commit c3a08168c144f27256a90838492c713f55f1b207) with the External Address Book Handler’s outAddress function. The vulnerability is a SQL injection due to manipulation of outAddress, and is capable of remote initiation. Public details consistently...

oa_system 注入漏洞

oasystem is a hailey individual developer's application for the day-to-day operation and management of organizations, used by employees and managers. An injection vulnerability exists in oasystem that originates from an external address book handler resulting in SQL injection...

PT-2025-27333 · Unknown · Aaluoxiang Oa System

Name of the Vulnerable Software and Affected Versions: aaluoxiang oa system up to c3a08168c144f27256a90838492c713f55f1b207 Description: A critical issue was found in the outAddress function of the External Address Book Handler component, leading to SQL injection. The attack can be initiated...