2424 matches found
CVE-2026-45577 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...
CVE-2026-45577
Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...
Malicious code in fpjson-lang (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318 package.json declares "preinstall": "./bin/install-deps", causing npm to execute a 954KB packed Linux ELF binary on every install. The package...
MAL-2026-4411 Malicious code in @onerjs/inspector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...
Malicious code in @onerjs/inspector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AW...
Astra Linux – Vulnerability in Chromium
The use of after free in the Inspector in Google Chrome before version 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: Medium...
Astra Linux – Vulnerability in WebKit2GTK
A privacy issue was addressed through improved handling of files. This issue is fixed in Safari 18.3, iOS 18.3, and iPadOS 18.3, as well as macOS Sequoia 15.3. Copying a URL from the Web Inspector may lead to command injection...
CVE-2026-29964
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...
CVE-2026-29965
HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting XSS in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax...
CVE-2026-29962
HSC MailInspector v5.3.3-7 contains a Local File Inclusion LFI vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization,...
CVE-2026-29963
HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...
CVE-2026-29964
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...
GHSA-5CVP-P7P4-MCX9 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...
CVE-2026-29962
HSC MailInspector v5.3.3-7 contains a Local File Inclusion LFI vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization,...
HSC MailInspector 跨站脚本漏洞
HSC MailInspector is a mail security analysis and filtering system developed by the Brazilian company HSC. Version 5.3.3-7 of HSC MailInspector contains a cross-site scripting vulnerability. This vulnerability arises from the use of alternative or obfuscated JavaScript syntax in user inputs withi...
PT-2026-41706
HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...
EUVD-2026-30781
HSC MailInspector v5.3.3-7 contains a Local File Inclusion LFI vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization,...
EUVD-2026-30784
HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...