262 matches found
EUVD-2026-42765
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Affected by this issue is some unknown functionality of the file pkg/channels/mqtt/mqtt.go of the component MQTT Channel Handler. This manipulation of the argument clientid causes incorrect authorization. The attack is possible to be...
CVE-2026-55790 Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types...
CVE-2026-55790
Summary of CVE-2026-55790 (Craft CMS) : This is a DOM-based cross-site scripting flaw in Craft CMS. Versions affected are 5.0.0-RC1–5.9.22 and 4.0.0-RC1–4.17.15. An attacker with only a GitHub account can insert a JavaScript payload into a craftcms/cms issue title. When a Craft admin uses the Cra...
CVE-2026-10070
A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...
CVE-2026-10070
A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...
PT-2026-44921
A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...
Malicious code in web3-helpers (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8d6102ae402b2583a01da47e71f41cccba99fb7826dcf360004d8924557e1760 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...
Malicious code in math-array-tools (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 1b6411ce9c35210436bef6dadb284e5d89ec85c2cc17f970509aa4b5f30c2440 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...
MAL-2026-3701 Malicious code in api-request-helpers (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 c8e8b70ac4deca30691d583ac6891034222b7458bf5ba9e7b86cf5e6627d8abb During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...
MAL-2026-3700 Malicious code in alembic-util (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8e9b764ee0ccd6a2c6c2db1b7722f083ee9f643cb99d03821d5e6571f68db253 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...
Arbitrary Command Injection
Overview ssh-mcp is a MCP server exposing SSH control for Linux and Windows systems via Model Context Protocol. Affected versions of this package are vulnerable to Arbitrary Command Injection via the shell.write function. An attacker can execute arbitrary system commands by supplying crafted inpu...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the response file processing due to a dangling pointer to freed memory being stored in the global dependfile and later dereferenced after the response-file buffer is freed. An attacker can cause data corruption or...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview fast-filesystem-mcp is a Fast Filesystem MCP Server - Advanced file operations with Auto-Chunking, Sequential Reading, complex file operations copy, move, delete, batch, compress, optimized for Claude Desktop Affected versions of this package are vulnerable to Improper Neutralization of...
PT-2026-28215
Hi guys! Recently I got this email from [email protected]. I read through the email and spotted a few grammatical errors, as well as a share.google link, which I thought was unusual for Microsoft to do. Even though it was fully delivered and signed by GitHub.com, I realised that what the...
CVE-2026-20719
CVE-2026-20719 affects Mattermost server/components that render external SVGs in link embeds across Mattermost 10.11.x–11.4.x (including 11.2.x, 11.3.x, 11.4.x). The root cause is failure to prevent rendering of external SVGs in embeds, enabling unauthenticated users to crash the web/desktop apps...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the FunctionPushPop. An attacker can cause excessive resource consumption and application instability by triggering deep or infinite recursion through crafted input to the affected process. Remediation There is...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the chaiscript::TypeInfo::bareequal function. An attacker can cause a program crash or potentially execute arbitrary code by triggering use of memory after it has been freed. Remediation There is no fixed version for...
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception via the oneflow.logicalor function. An attacker can cause the application to crash by submitting specially crafted input. Remediation There is no fixed version for oneflow. References - GitHub Issue Credit: Daisy2ang...
Improper Validation of Specified Quantity in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the arange function. An attacker can cause the application to become unresponsive or crash by submitting specially crafted input. Remediation There is no fixed version for oneflow...
Improper Validation of Specified Quantity in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the flow.cuda.BoolTensor component when processing crafted input. An attacker can cause the application to crash or become unresponsive by submitting specially crafted data...