Malicious code in @etech-flex-sre/ls-loading-spinner (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 487c2e88510b861b61f2ca278f6341fe808b6113fc956f64320585b8e83ca3a6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

The vulnerability of the FreeScout support service management system, related to unlimited loading of dangerous type files, allows a hacker to execute arbitrary code.

The vulnerability of the FreeScout support service management system is related to the unlimited loading of dangerous files. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

GHSA-Q43X-79JR-CQ98 tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript

A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual element. If an attacker injected an HTML element such as: it could clobber the document.currentScript property. This causes the script to resolve incorrectly...

tarteaucitron.js 安全漏洞

tarteaucitron.js is a cookie manager for the Amauri CHAMPEAUX Personal Developer. A security vulnerability exists in tarteaucitron.js versions prior to 1.22.0, which stems from a failure to validate that document.currentScript references an actual script element, which could result in a script pa...

glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

A flaw was found in the glibc library. A statically linked setuid binary that calls dlopen, including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo, may incorrectly search LDLIBRARYPATH to determine which library to load, allowing a local attacker to load...

glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

A flaw was found in the glibc library. A statically linked setuid binary that calls dlopen, including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo, may incorrectly search LDLIBRARYPATH to determine which library to load, allowing a local attacker to load...

Remote Code Execution (RCE)

llamafactory is vulnerable to Remote Code Execution RCE. The vulnerability is due to the unsafe loading of the vheadfile argument without the weightsonly=True safeguard, allowing attackers to exploit the Checkpoint path parameter via the WebUI to execute arbitrary code...

CLSA-2025-1751144408 python3.9: Fix of CVE-2024-0397

CVE-2024-0397: fix memory race condition in ssl module's certstorestats and getcacerts methods by ensuring proper synchronization during certificates loading...

Under the Hood of BlotchyQuasar: DLL-Based RAT Campaigns against Latin America

A sophisticated malspam campaign was recently uncovered targeting Latin American countries, with a particular focus on Brazil. This operation utilizes a highly deceptive phishing email to trick users into executing a malicious MSI file, initiating a multi-stage infection. The core of the attack...

LLaMA-Factory 代码问题漏洞

LLaMA-Factory is a fine-tuned large-scale language model by a Chinese hoshi-hiyouga individual developer. A code issue vulnerability exists in LLaMA-Factory 0.9.3 and earlier versions, which stems from improper loading of vheadfile and could lead to remote code execution...

CLSA-2025-1750692029 glibc: Fix of CVE-2025-4802

CVE-2025-4802: fix untrusted LDLIBRARYPATH vulnerability in dynamically shared library loading in setuid binaries to prevent attacker control...

CLSA-2025-1750697072 glibc: Fix of CVE-2025-4802

CVE-2025-4802: fix issue of untrusted LDLIBRARYPATH environment variable vulnerability by restricting loading of dynamically shared libraries in statically compiled setuid binaries...

The vulnerability of the Advantive VeraCore cloud-based business process management system lies in its ability to allow unlimited loading of dangerous types of files, enabling attackers to gain unauthorized access to protected information.

The vulnerability of the Advantive VeraCore cloud-based business process management system is related to the unlimited loading of dangerous types of files. Exploiting this vulnerability can allow an attacker operating remotely to gain unauthorized access to protected information...

CLSA-2025-1750416241 glibc: Fix of CVE-2025-4802

CVE-2025-4802: fix untrusted LDLIBRARYPATH vulnerability in dynamically shared library loading in setuid binaries...

Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities : - A race condition on connection close could trigger a JVM crash when using the APR/Native...

Apache Tomcat 9.0.0-M1 < 9.0.106 Multiple Vulnerabilities

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities : - A race condition on connection close could trigger a JVM crash when using the APR/Native...

PT-2025-35979

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The snd soc remove pcm runtime function may be called with rtd equal to NULL, leading to a null pointer dereference. This issue was reproduced during topology loading and when a link was...

CVE-2025-6087

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /next/image endpoint...

Out-of-Bounds

Overview Affected versions of this package are vulnerable to Out-of-Bounds via the tokentopiece function in the file llama-vocab.cpp. An attacker can cause arbitrary memory corruption and potentially execute code by supplying a specially crafted GGUF model that triggers a buffer overflow during...

UBUNTU-CVE-2025-49847

llama.cpp is an inference of several LLM models in C/C++. Prior to version b5662, an attacker‐supplied GGUF model vocabulary can trigger a buffer overflow in llama.cpp’s vocabulary‐loading code. Specifically, the helper trycopy in llama.cpp/src/vocab.cpp: llamavocab::impl::tokentopiece casts a ve...