MAL-2026-5543 Malicious code in jailbreak-code (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f729dde017c78154685be850893a9f3ebd58bf0b5cb1229e7e49fb09b14f5d5 The package presents itself as an AI developer CLI but is engineered as a credential and payment harvester. src/c2.ts hardcodes a Discord webhook URL...

CVE-2026-46395

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

PT-2026-46045

Name of the Vulnerable Software and Affected Versions OP-TEE versions prior to 4.11.0 Description OP-TEE is a Trusted Execution Environment designed as a companion to a non-secure Linux kernel running on Arm Cortex-A cores using TrustZone technology. In several ECDH shared secret paths, the publi...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fixed a key reference count leak from call-key. When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This reference is never cleaned up, and it becomes a leak when the call is...

Malicious code in hpsetup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16ed0c34d69e1ea3c5052e3eed20b87fc47e8d4bf1393f7117d34b847347e12c When npx hpsetup runs, the tool fetches a tarball from https://hpsetup-cdn.932324.xyz/api/tarball//?key= and extracts it directly into...

Exploit for CVE-2025-11203

CVE-2025-11203 – LiteLLM Health Endpoint APIKEY Information D...

OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals

Summary The custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. Details Th...

Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui

HTB-Snapped--Writeup HTB Snapped — Hard Linux machine writeup...

EUVD-2026-27883

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling...

Directory Traversal

Overview org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing an...

CVE-2026-34474

CVE-2026-34474 affects ZTE ZXHN H298A (1.1) and H108N (2.6) routers. A crafted request to the device’s web interface can cause a sensitive-data exposure, potentially returning the administrator password and WLAN PSK, which could enable authentication bypass and wireless/network compromise. Some f...

cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

A validation flaw has been discovered in the python cryptography package. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification ECDSA and...

Astra Linux – Vulnerability in mbedtls

The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS from 2.19.1 does not reduce the blinded scalar before computing the inverse. This allows a local attacker to recover the private key through side-channel attacks...

SUSE-SU-2026:21396-1 Security update for libssh

This update for libssh fixes the following issues: - Update to version 0.11.4: - CVE-2026-0964: SCP Protocol Path Traversal in sshscppullrequest bsc1258049 - CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files bsc1258045 - CVE-2026-0966: Buffer underflow in...

Linux Distros Unpatched Vulnerability : CVE-2026-31639

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - rxrpc: Fix key reference count leak from call-key When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This is never...

CVE-2026-31639

In the Linux kernel, CVE-2026-31639 affects the rxrpc subsystem. A client call acquires a reference to a key during rxrpc_alloc_client_call(), but this reference is not released when the call is destroyed, causing a key reference-count leak. The documented fix frees call->key in rxrpc_destroy_...

CVE-2026-31639

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call-key When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the rxrpcallocclientcall function acquiring key references without releasing them when the call i...

CVE-2025-41118

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage COS. If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secretkey configuration value from the...

CVE-2025-41118

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage COS. If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secretkey configuration value from the...