4121 matches found
CVE-2026-42335
MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...
CVE-2026-42336 MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access...
EUVD-2026-31989
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access...
CVE-2026-42336
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access...
CVE-2026-42337 MaxKB: Broken Access Control in MaxKB OSS URL Fetch API
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API chat/api/oss/geturl. The endpoint uses applicationid from the URL path without validating ownership, allowing attackers to perfo...
CVE-2026-42337 MaxKB: Broken Access Control in MaxKB OSS URL Fetch API
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API chat/api/oss/geturl. The endpoint uses applicationid from the URL path without validating ownership, allowing attackers to perfo...
CVE-2026-45412
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...
CVE-2026-45412 MaxKB: Unauthenticated SSRF via Workflow Template Import
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...
CVE-2026-42335 MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy
MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...
CVE-2026-42335 MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy
MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...
CVE-2026-42335
MaxKB (open-source AI assistant for enterprise) prior to 2.8.1 is vulnerable to an SSRF bypass in the OSS file service URL fetch endpoint (chat/api/oss/get_url). The issue stems from inconsistent URL parsing between the urlparse validation function and the requests HTTP client, enabling an attack...
Malicious code in @slipless/sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd12d144d97dca69d9861a3a68bc2bfd138e3f3d5514eb70303c9b8e0c472e17 On npm install, scripts/postinstall.cjs fetches https://slipless.xyz/main.ps1 mutable URL, no hash or signature verification, writes it to the OS tem...
Malicious code in chainix (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 93d9609d2eac0c0ff33aed557171138930255798aa649fa648b04814c8cb1908 Package presents itself as a pino-compatible logger README badges link to pinojs/pino, exports alias module.exports.pino = middleware but its exporte...
MAL-2026-4817 Malicious code in chainix (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 93d9609d2eac0c0ff33aed557171138930255798aa649fa648b04814c8cb1908 Package presents itself as a pino-compatible logger README badges link to pinojs/pino, exports alias module.exports.pino = middleware but its exporte...
SUSE-SU-2026:21870-1 Security update for google-osconfig-agent
This update for google-osconfig-agent fixes the following issue - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260264...
MAL-2026-4808 Malicious code in wm-idp-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain...
Malicious code in wm-idp-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain...
Malicious code in noteparse (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 270d4c797fe34bc0b9598608f45add8721f1fa80d1488e4fae750e3a7b38419e noteparse 1.1.27 ships live MinIO credentials in configReader.py endpoint uicfile.uniview.com, accesskey 'uicpro', secretkey 'uicpropass123' that are...
MAL-2026-4794 Malicious code in indextts-cli (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc206ef48bfccaec8e81aac2b666e2d54a4a027e8432cc1d08d3823cf333caca setup.py executes git clone --depth 1 --branch dev-3.12 https://github.com/gabry-lab/index-tts during the buildpy / egginfo / sdist / bdistwheel...
Malicious code in react-cleaner (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11c3d7a072dc204b4c150fae46302a31dafd46c85518d4ba7128fc7d36bf6a53 [email protected] is a pino-logger impersonator package main is pino.js, homepage https://getpino.io, module layout mirrors pino's lib/ tree that, ...