CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated...

GHSA-4GP8-RJRQ-CH6Q link-preview-js vulnerable to IPv6 and internal loopback attacks

Impact The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. Patches Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package alone. T...

CVE-2026-35527 Incus blind SSRF via image import preflight HEAD request

Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function...

CVE-2026-35527

Incus (pre-7.0.0) is vulnerable to a blind SSRF via image import preflight HEAD requests. An authenticated user can coerce the daemon to issue a host-originated HEAD request to a user-supplied URL before policy checks complete, exposing server metadata in headers (Incus-Server-Architectures, Incu...

GHSA-9857-6MW7-FQ2M gix-transport: HTTP credentials leaked to redirected host in curl backend

Summary The curl-based HTTP transport in gix-transport sends user credentials passwords, tokens to an attacker-controlled server after an HTTP redirect. When a server responds with a 302 redirect during the initial GET /info/refs, gitoxide records the redirected base URL and rewrites all subseque...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter during a file upload operation. An attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process by supplyi...

VM2 Has a WASM Sandbox Escape

Summary Full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. Details Confirmed on: vm2 3.10.4, Node.js v25.6.1 x64 Linux Trigger: Attacker-controlled code passed to VM.run Requires: Node.js...

GHSA-FFH4-J6H5-PG66 VM2 Has a WASM Sandbox Escape

Summary Full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. Details Confirmed on: vm2 3.10.4, Node.js v25.6.1 x64 Linux Trigger: Attacker-controlled code passed to VM.run Requires: Node.js...

EUVD-2026-26995

VM2 Has a WASM Sandbox Escape Node 25 only...

GHSA-V37H-5MFM-C47C VM2 Has Sandbox Breakout Through Inspect Function

Summary VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The node inspect method allows to log details of objects. To get to the...

EUVD-2026-26987

VM2 Has Sandbox Breakout Through Inspect Function...

VM2 Has Sandbox Breakout Through Inspect Function

Summary VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The node inspect method allows to log details of objects. To get to the...

VM2 Has Sandbox Breakout Through Promise Species

Summary The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The fix for...

GHSA-QVJJ-29QF-HP7P VM2 Has Sandbox Breakout Through Promise Species

Summary The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The fix for...

Malicious code in @bold-commerce/stacks-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cc580455dc6abd5d1a25634543e82bc51cf855c3494024397eb17d4c7fc1eff The package @bold-commerce/stacks-ui was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3341 Malicious code in runtime-probe (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0253bd4b8dc52c1fc510a9355b9d4178b7e891c7fc0226537a8769dffcef6d89 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in runtime-probe (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0253bd4b8dc52c1fc510a9355b9d4178b7e891c7fc0226537a8769dffcef6d89 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in runtime-readout (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 db23da97c424ee374983aaaa3b955d423abe32f91c024f372142dc234ae522d3 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...