Malicious code in weavedb-exm-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec package.json declares "preinstall": "./vendor/setup", causing every npm install weavedb-exm-sdk to execute vendor/setup — a 976,568-byte Linux x86 EL...

MAL-2026-4482 Malicious code in arnext (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f package.json declares "preinstall": "./vendor/setup", which runs a 976,568-byte Linux ELF binary on every npm install. The package's stated purpose i...

Malicious code in arnext (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f package.json declares "preinstall": "./vendor/setup", which runs a 976,568-byte Linux ELF binary on every npm install. The package's stated purpose i...

MAL-2026-4486 Malicious code in atomic-notes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81 package.json declares preinstall:./.github/scripts/precheck, which executes a 976 KB stripped, UPX-packed Linux x8664 ELF shipped at...

MAL-2026-4739 Malicious code in zkjson (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816 package.json declares "preinstall": "./.github/scripts/precheck", pointing to a 976 KB Linux ELF executable sha256...

Malicious code in zkjson (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816 package.json declares "preinstall": "./.github/scripts/precheck", pointing to a 976 KB Linux ELF executable sha256...

Low: thunderbird

Issue Overview: libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. CVE-2026-41080 Affected Packages: thunderbird Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL...

Low: firefox

Issue Overview: libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. CVE-2026-41080 Affected Packages: firefox Note: This advisory is applicable to Amazon Linux 2 - Firefox Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extra...

PT-2026-43449

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. This vulnerability is of high severity for affected sites and has a high real-world impact. ---- Introduction Arbitrary method call is a type of arbitrary code execution...

TencentOS Server 3: jq (TSSA-2026:0370)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0370 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

MAL-2026-4438 Malicious code in @service-suppliers/suppliers (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a79ca8ef6257be2fbac9c361b969d9e63ce6a833e42dafa4b558e1f805276502 On npm install, scripts/postinstall.js performs two attacker-benefit actions against the installer. First, it scrapes installer-side credentials: it...

Alibaba Cloud Linux 3 : 0115: jq (ALINUX3-SA-2026:0115)

The remote Alibaba Cloud Linux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0115 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2026-39979: A flaw was found in jq, a...

Exploit for SQL Injection in Cmsmadesimple Cms_Made_Simple

CMS Made Simple CVE-2019-9053 Exploit Python 3 Python 3 com...

Use of a One-Way Hash with a Predictable Salt

Overview Affected versions of this package are vulnerable to Use of a One-Way Hash with a Predictable Salt in the getSecretKeySaltGenerator function of the Password Hash Handler component. An attacker can compromise the confidentiality of hashed secrets by exploiting the use of a predictable salt...

CVE-2026-9370

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password...

EUVD-2026-31584

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password...

CVE-2026-9370 ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password...

CVE-2026-9370

CVE-2026-9370 affects ulisesbocchio jasypt-spring-boot up to versions 3.0.5/4.0.4. The vulnerability is in getSecretKeySaltGenerator within SimpleGCMConfig.java of the Password Hash Handler. The underlying issue is a manipulation that leads to the use of a one-way hash with a predictable salt. Th...

Exploit for CVE-2026-23813

CVE-2026-23813 — AOS-CX Pre-Auth Authentication Bypass Unau...

CVE-2026-39969 TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification

TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...