756 matches found
MAL-2026-10572 Malicious code in eth-wallet-helpers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 517d465272a3a1d252e83e178bb263a1ccf600b42fed6d5aa1d110b9141fc77a On require of index.js, a delayed IIFE reads test/fixtures/keypairs.dat, base64-decodes it into /.cache-db/.node-sync/syncd.js mode 0o700, and spawns...
CVE-2026-13353
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...
ROOT-APP-NPM-CVE-2025-27789 CVE-2025-27789 in @rootio/babel__helpers - Patched by Root
Root has patched CVE-2025-27789 in the @rootio/babelhelpers package for Root:npm. Multiple fixed versions available...
MAL-2026-6981 Malicious code in paperclip-adapter-helpers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d49d1a6c5381f58370cbfedc2321bd44796eb4ea79541d967a661760d9759801 [email protected] executes a credential-theft and C2 backdoor automatically on import. The package's main re-exports...
CVE-2026-55886 Jodit Editor: Prototype Pollution in Jodit via Jodit.modules.Helpers.set()
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.setchain, value, obj, which walks the dot-separated chain, creating and following each path segment...
CVE-2026-55886 Jodit Editor: Prototype Pollution in Jodit via Jodit.modules.Helpers.set()
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.setchain, value, obj, which walks the dot-separated chain, creating and following each path segment...
CVE-2026-55886
CVE-2026-55886 — Jodit Prototype Pollution Affected software: Jodit Editor (npm package) up to version 4.12.25 (vulnerability fixed in 4.12.26). Root cause: Prototype pollution via Jodit.modules.Helpers.set(chain, value, obj) which walks a dot-separated path and creates path segments without filt...
UBUNTU-CVE-2026-53349
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrack: destroy stale expectfn expectations on unregister NAT helpers such as nfnath323 store a raw pointer to module text in exp-expectfn e.g. ipnatq931expect. nfcthelperexpectfnunregister only unlinks the callba...
Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2026-50353)
The remote Oracle Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-50353 advisory. 5.4.17-2136.356.4.3 - net: skbuff: fix missing zerocopy reference in pskbcarve helpers Minh Nguyen Orabug: 39639989 CVE-2026-52943 Credit Statement: The...
MAL-2026-6581 Malicious code in ollama-helpers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 52323ef2a3908b7db1565ae149128d053363ab2612c7bc3a938c3f2d63c285cf scripts/postinstall.js executes automatically on npm install and performs a bulk harvest of installer-side identity and configuration data: OS hostna...
CVE-2026-54269
A flaw was found in protobufjs, a JavaScript JS library for compiling protobuf definitions. A remote attacker could exploit this vulnerability by providing specially crafted protobuf definitions or message types that contain names colliding with internal protobufjs runtime helpers. This could lea...
CVE-2026-53171 accel/ethosu: fix arithmetic issues in dma_length()
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dmalength dmalength derives DMA region usage from command stream values and updates regionsize: len = len + stride0 size0 + stride1 size1 regionsizeregion = max..., len + dma-offset Several...
CVE-2026-48732 Warp: Remote SSH cwd can lead to unauthorized remote command execution
Warp is an agentic development environment. From 0.2023.03.21.08.02.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for...
EUVD-2026-38909
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full BUG If an OCFS2 inode has both inline and block-based xattrs, listxattr can return a size larger than the caller's buffer when the inline names consume that buffer exactly...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: Net: Fixing segmentation issues with forwarding fraglists for GRO packets. This patch improves the handling of GSO segmentation by properly checking the SKBGSODODGY flag for GSO packets with a fraglist. This addresses low...
PT-2026-51935
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the OCFS2 file system where the listxattr function can return a size larger than the caller's buffer. This occurs when an OCFS2 inode contains both inline and...
CVE-2026-54269
protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...
Astra Linux – Vulnerability in Linux 5.15
In the Linux kernel, the following vulnerabilities have been resolved: Venus: pmhelpers: Fixed a warning in the OPP phase during the probe. Fixed the following WARN messages that were triggered during the Venus driver probe in version 5.19.0-rc8-next-20220728: WARNING: CPU: 7 PID: 339 at...
jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
Summary Jodit.modules.Helpers.setchain, value, obj walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with or contains proto, constructor, or prototype lets the final assignment reach and mutate Object.prototype...
mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms
Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be...