146 matches found
Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle o...
PT-2026-57441
Name of the Vulnerable Software and Affected Versions Parse Server versions 9.0.0 through 9.10.0-alpha.1 Parse Server versions 8.x through 8.6.83 Description A stored cross-site scripting XSS issue exists when the software fails to recognize an uploaded file's extension via the mime package,...
Malicious code in higherlogic-ocfe (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f73e9c228fc5188d602b213f2c6e7f88d6acbb4a9381667b7c33e4cb825aedf2 Package [email protected] is a dependency-confusion lure targeting the Higher Logic vendor namespace. The published index.js is an empty...
Malicious code in babel-eslint-parser-legacy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85a6f04cbf0697b6ae409fb9e5ad0e25812dac6a2f43bd95722f1903ee2f71f7 Package name babel-eslint-parser-legacy is a one-suffix confusion against the legitimate babel-eslint-parser. The package's own main is an empty stub...
Malicious code in visa-cli-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec Package presents as an internal-looking corporate tooling name 'visa-cli-tools' published at an inflated version 99.9.1 — the canonical...
CVE-2026-49297
Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket...
CVE-2026-49297
Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket...
[SECURITY] Fedora 43 Update: rclone-1.74.3-1.fc43
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...
[SECURITY] Fedora 44 Update: rclone-1.74.3-1.fc44
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...
BIT-GHOST-2026-53948 Ghost: File Upload Content-Type Spoofing
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On...
Malicious code in ryan-pdf-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb [email protected] is an empty stub package index.js exports whose sole purpose is to deliver an off-registry payload at install time. Its package.js...
[SECURITY] Fedora 43 Update: restic-0.19.0-1.fc43
Fast, secure, efficient backup program. restic supports the following backends for storing backups natively: Local directory sftp server via SSH HTTP REST server protocol, rest-server Amazon S3 either from Amazon or using the Minio server OpenStack Swift BackBlaze B2 Microsoft Azure Blob Storage...
[SECURITY] Fedora 44 Update: restic-0.19.0-1.fc44
Fast, secure, efficient backup program. restic supports the following backends for storing backups natively: Local directory sftp server via SSH HTTP REST server protocol, rest-server Amazon S3 either from Amazon or using the Minio server OpenStack Swift BackBlaze B2 Microsoft Azure Blob Storage...
Malicious code in uipath-sugar-sell (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f Package [email protected] exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace,...
MAL-2026-5455 Malicious code in uipath-sugar-sell (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70cd5d70323e92395a2ea8f61a4089f1cca94e4bb81a7cad1375ae47d3461e6f Package [email protected] exhibits the canonical dependency-confusion shape: an internal-sounding name targeting a UiPath/SugarSell namespace,...
MAL-2026-5453 Malicious code in tivo-codelib-a (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c187e845e4c0d637709021a287c758e0206cb7adc46517391df4724d8af8cb7 [email protected] is an empty-stub npm package whose index.js exports module.exports = and whose package metadata description, author is blank. I...
Malicious code in @webda-features/dashboard (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3698e6d2d9b93092104883c8f7e4ffcd602d31d3fd3ae2574850ea6ad15e8437 The package is an empty wrapper index.js contains only module.exports = ; whose sole effect on install is to resolve a single dependency declared as ...
MAL-2026-5432 Malicious code in @webda-features/dashboard (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3698e6d2d9b93092104883c8f7e4ffcd602d31d3fd3ae2574850ea6ad15e8437 The package is an empty wrapper index.js contains only module.exports = ; whose sole effect on install is to resolve a single dependency declared as ...
Malicious code in @webd-infra/query-designer-domain (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c7713f23c6a0044172532693bc43aee0d785a980fc5c83ba1f773af9082e3b3 The package's package.json declares its only dependency ltidisafe as a direct tarball URL:...
Malicious code in @webda-infra/search (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d3966598d25bae6a0824df09461ccbea8ad8ff22be2b3b93eab681cc733ff73 @webda-infra/[email protected] is a near-empty placeholder index.js is empty, module.exports = whose package.json declares a single dependency, ltidisafe...