JS Help Desk <= 2.8.1 - SQL Injection

The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...

JS Help Desk <= 2.8.2 - SQL Injection

JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication. id:...

Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

BIT-NODE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

CVE-2026-47141

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnosticschannel, asynchooks, and perfhooks. These builtins, which are designed for...

CVE-2026-53550

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block...

UBUNTU-CVE-2026-53550

js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block...

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidenc...

MAL-2026-6313 Malicious code in @zynkit/jwtbytes (npm)

@zynkit/jwtbytes malicious version 0.5.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

CVE-2026-49293

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written parseBigInt loop that multiplies a BigInt accumulator by the radix once per input digit. Each iteration...

CVE-2026-49293 CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written parseBigInt loop that multiplies a BigInt accumulator by the radix once per input digit. Each iteration...

Malicious code in new-mjs-eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...

Malicious code in new-ecro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7492a140547cea0957bc705d365e19806091462a249c3d5c90b6bfe91e8431c7 Package 'new-ecro' impersonates the legitimate 'big.js' library: it copies big.js's README, source, version banner 'big.js v7.0.1', author email, and...

MAL-2026-6197 Malicious code in new-ecro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7492a140547cea0957bc705d365e19806091462a249c3d5c90b6bfe91e8431c7 Package 'new-ecro' impersonates the legitimate 'big.js' library: it copies big.js's README, source, version banner 'big.js v7.0.1', author email, and...

Fedora 45 : nginx / nginx-mod-brotli / nginx-mod-fancyindex / etc (2026-e212182e6e)

The remote Fedora 45 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2026-e212182e6e advisory. nginx-mod-brotli: - Rebuild for 1.30.3 nginx-mod-fancyindex: - Rebuild for 1.30.3 nginx-mod-modsecurity: - Rebuild for 1.30.3 nginx-mod-headers-more...

ALPINE-CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

145 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 145 npm packages associated with the Mastra namespace "@mastra/", a popular open-source JavaScript and TypeScript framework for building artificial intelligence AI applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from...

Malicious code in @mastra/client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 22551bc03157cad1fefb8af44f3b14c9fe9e892c083eb904e512007015e72f9f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-6007 Malicious code in @mastra/client-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 22551bc03157cad1fefb8af44f3b14c9fe9e892c083eb904e512007015e72f9f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5988 Malicious code in params-valid-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate request package bugs URL...