5719 matches found
CVE-2026-53597
CVE-2026-53597 affects the Prompty markdown format loader: for versions 2.0.0-alpha.1 through 2.0.0-beta.3, the @prompty/core TypeScript loader in runtime/typescript/packages/core/src/core/loader.ts did not override executable engines for js/frontmatter, allowing attacker-controlled .prompty file...
CVE-2026-59867
CVE-2026-59867 affects Kiota, an OpenAPI-based HTTP client code generator. Before 1.32.5, Kiota’s OpenAPI $ref resolution could fetch remote http(s) URLs or read local absolute/out-of-tree file paths, enabling build‑time SSRF, remote file inclusion, and local file inclusion when generating client...
WordPress Contact Form by Supsystic - Server-Side Template Injection
Contact Form by Supsystic WordPress plugin = 1.7.36 contains a server-side template injection caused by unsandboxed TwigLoaderString and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters. id: CVE-2026-4257 info: name: WordPress Contact...
CVE-2026-43637
Cornac before 2.6.0 contains a path traversal Tar Slip vulnerability that allows attackers to write arbitrary files outside the intended cache directory by supplying a crafted TAR archive containing ../ sequences, absolute paths, or symlink/hardlink entries to the extractarchive function in...
edk2 security, bug fix, and enhancement update
An update is available for edk2. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list EDK Embedded Development Kit is a project to enable UEFI support for Virtual...
RLSA-2026:39297 Moderate: edk2 security, bug fix, and enhancement update
EDK Embedded Development Kit is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fixes: openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key CVE-2026-31790 openssl: OpenSS...
Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware
Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity. The affected packages are listed below - @asyncapi/[email protected]...
CVE-2026-54684
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolvefileName after a...
Moderate: Red Hat Security Advisory: edk2 security, bug fix, and enhancement update
An update for edk2 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...
CVE-2026-58638
Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally...
CVE-2026-58638 Windows Boot Loader Security Feature Bypass Vulnerability
...
CVE-2026-58638
CVE-2026-58638 is a Windows Boot Loader security feature bypass caused by a missing cryptographic step. The vulnerability allows a locally authenticated attacker to bypass a security feature. Public material in connected sources attributes the issue to Windows Boot Loader behavior and notes Micro...
Windows Boot Loader Security Feature Bypass Vulnerability
Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally...
148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet
A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog. The packages did not go after the developers who might install them. The operators used the...
MAL-2026-10557 Malicious code in @cw-ui/micro-ui-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b558c8d90850ea9817e236b445ba2bc1020a35a81a099a5e1575ef705b00bd39 On npm install, postinstall.js reads the installer's hostname via os.hostname and sends it as a query parameter to a hardcoded bare-IP HTTP endpoint:...
Malicious code in micro-ui-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be44655a47177f3740201ddb9dc66db080b9f665354c78bcebeb9a2da3b11b7f On npm install, the package's postinstall script postinstall.js reads os.hostname and sends it as a query parameter in a plain-HTTP GET to a hardcode...
MAL-2026-10564 Malicious code in micro-ui-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be44655a47177f3740201ddb9dc66db080b9f665354c78bcebeb9a2da3b11b7f On npm install, the package's postinstall script postinstall.js reads os.hostname and sends it as a query parameter in a plain-HTTP GET to a hardcode...
PT-2026-58858
Name of the Vulnerable Software and Affected Versions jadx versions 1.5.2 through 1.5.5 Description A path traversal issue exists where a malicious .xapk file can cause the application to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory...
MAL-2026-10463 Malicious code in node-path-addon (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5dbc52a88818bccd5602eb556ea4bf089dac66c44a2bb1ecbd6fddd6723e9d1d node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry path.js delegates by executing...
OPENSUSE-SU-2026:21318-1 Security update for jq
This update for jq fixes the following issues - CVE-2026-43896: unbounded recursion in jvobjectmergerecursive can lead to C stack exhaustion and a process crash bsc1265075. - CVE-2026-44777: uncontrolled recursion in ordinary module loader when two valid modules include each other can lead to sta...