29577 matches found
GHSA-X449-4QCH-5WJQ vulnerabilities
Vulnerabilities for packages: chromium...
GHSA-6XWP-952X-4VGF vulnerabilities
Vulnerabilities for packages: chromium...
GHSA-24V7-W2X9-2CXH vulnerabilities
Vulnerabilities for packages: chromium...
New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files
Hackers spread CGrabber and Direct-Sys malware through GitHub ZIP files, bypassing security tools to steal passwords, crypto wallets, and user data...
Malicious code in solanakit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 3e8770458eab636335241e359b6cee149cc00640fb2418b4462c89ec88accc93 During import, the code downloads and starts a malicious package hosted on GitHub. It then first ensures persistency e.g., through the autostart registry key...
MAL-2026-2837 Malicious code in solanakit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 3e8770458eab636335241e359b6cee149cc00640fb2418b4462c89ec88accc93 During import, the code downloads and starts a malicious package hosted on GitHub. It then first ensures persistency e.g., through the autostart registry key...
Malicious code in azure-ai-agentserver-githubcopilot (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5302d683e413611c8a5f1bcfb18c19e34353a50c1d4450546b284197bab5a6f7 Package exploits dependency confusion. A beacon request is used to report usage back, but no additional information are exfiltrated. --- Category:...
MAL-2026-2831 Malicious code in azure-ai-agentserver-githubcopilot (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5302d683e413611c8a5f1bcfb18c19e34353a50c1d4450546b284197bab5a6f7 Package exploits dependency confusion. A beacon request is used to report usage back, but no additional information are exfiltrated. --- Category:...
GHSA-37GX-XXP4-5RGX vulnerabilities
Vulnerabilities for packages: dotnet-bootstrap, promitor, dotnet, dotnet-sdk-stage0, powershell, dotnet-sdk...
CVE-2026-40887
creationtimestamp| type| source ---|---|--- 2026-04-17 06:31:34+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-40887.yaml 2026-04-19 21:03:03+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mjuu2zdoll2i 2026-04-21...
GHSA-2MVX-F5QM-V2CH
creationtimestamp| type| source ---|---|--- 2026-04-16 23:18:29+00:00| published-proof-of-concept| Telegram/uUtOgPMgnfpzQaGdgE5uvRP8Wc5QVkmzi4lAg5HL6Ws0-I...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in several API endpoints that lack proper authentication checks. An attacker can access sensitive data, perform state-changing operations, and obtain internal configuration details by sending...
GHSA-944X-93JF-H3RX
creationtimestamp| type| source ---|---|--- 2026-04-16 21:20:19+00:00| published-proof-of-concept| Telegram/Aucjp3CgnELaS6Gr5NTHztcQZsmAAmJEC2bwRSYMi6Gi6QU...
GHSA-4FXQ-2X3X-6XQX zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...
CVE-2026-39857
creationtimestamp| type| source ---|---|--- 2026-04-16 20:45:15+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-c276-fj82-f2pq...
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads
Impact The ALLOWEDASSETDOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. Patches https://github.com/WeblateOrg/weblate/pull/18550 References This issue was reported by @spbavarva via GitHub...
GHSA-MQPH-7H49-HQFM Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository
Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. Patches https://github.com/WeblateOrg/weblate/pull/18516 Workarounds The CDN add-on is not enabled by default. References Thanks to @spbavarva for reporting this responsibly via GitHub...
GHSA-P2GH-CFQ4-4WJC
creationtimestamp| type| source ---|---|--- 2026-04-16 17:21:05+00:00| published-proof-of-concept| Telegram/YKX-6KXVqHKUWR-VRt4uZwi-aDyDZ2w2e-w4Y4gyD3o3fyw...
GHSA-5VJQ-5JMG-39XQ
creationtimestamp| type| source ---|---|--- 2026-04-16 14:49:49+00:00| seen| https://bsky.app/profile/andrewnez.mastodon.social.ap.brid.gy/post/3mjmnsikjzws2...