Malicious code in shizukyu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31c8d6ffda18d74aa3d25ab3804e721a72dc385d89f2742d7c9e967919b27449 The package exports a single function shizukuChsocket that accepts a caller's authenticated Baileys WhatsApp socket and invokes...

PT-2026-41832

Name of the Vulnerable Software and Affected Versions exifreader versions prior to 4.39.0 Description Improper handling of highly compressed data leads to data amplification when decompressing PNG zTXt metadata without enforcing a maximum decompressed output size. If asynchronous parsing is...

Can a Single Message Paralyze the AI Infrastructure? the Rise of AbO-DDoS Attacks through Targeted Mobius Injection

Large Language Model LLM agents have emerged as key intermediaries, orchestrating complex interactions between human users and a wide range of digital services and LLM infrastructures. While prior research has extensively examined the security of LLMs and agents in isolation, the systemic risk of...

New API 数据伪造问题漏洞

The New API is an interface software developed by QuantumNous. Versions of the New API prior to 0.12.10 had a data manipulation vulnerability. This vulnerability stems from defects in the Stripe webhook handler, which could allow unauthorized attackers to forge webhook events and arbitrarily...

Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation

Summary No authentication is required to invoke PUT /api/echo/like/:id. The handler is registered on the public router group. The service increments favcount for the given echo without checking identity, without a per-user limit, and without CSRF tokens. A remote client can arbitrarily inflate li...

RHCOS 3 : OpenShift Container Platform 3.11.462 (RHSA-2021:2517)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2517 advisory. - jetty: local temporary directory hijacking vulnerability CVE-2020-27216 - jetty: buffer not correctly recycled in Gzip Request...

PT-2026-37105

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.30.4 PhpSpreadsheet versions prior to 2.1.16 PhpSpreadsheet versions prior to 2.4.5 PhpSpreadsheet versions prior to 3.10.5 PhpSpreadsheet versions prior to 5.7.0 Description The SpreadsheetML XML reader...

EUVD-2026-25054

nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation...

PT-2026-34542

Name of the Vulnerable Software and Affected Versions nimiq-block versions prior to 1.3.0 Description The SkipBlockProof::verify function computes its quorum check using BitSet.len, then iterates through BitSet indices and casts each usize index to u16 slot as u16 for slot lookup. An integer...

CVE-2026-40093

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper...

GHSA-49XC-52MP-CC9J nimiq-blockchain is missing a wall-clock upper bound on block timestamps

Impact Block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps...

CVE-2026-40093

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper...

CVE-2026-40093

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper...

CVE-2026-40093 nimiq-blockchain is missing a wall-clock upper bound on block timestamps

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper...

CVE-2026-40093 nimiq-blockchain is missing a wall-clock upper bound on block timestamps

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp = parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MINPRODUCERTIMEOUT for skip blocks, but there is no visible upper...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate...

Insufficient Verification of Data Authenticity

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the ipn.php process. An attacker can repeatedly increase their wallet balance and renew subscriptions by...

GHSA-MMW7-WQ3C-WF9P WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate...

CVE-2026-39366 WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...