9 matches found
CVE-2026-55700 pnpm: stage download writes outside destination via manifest version traversal
pnpm is a package manager. From 11.3.0 until 11.5.3, pnpm stage download derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields,...
PraisonAI recipe registry publish path traversal allows out-of-root file write
Summary PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bund...
GHSA-R9X3-WX45-2V7F PraisonAI recipe registry publish path traversal allows out-of-root file write
Summary PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bund...
PT-2026-30767
Summary PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bund...
How Manifest v3 forced us to rethink Browser Guard, and why that’s a good thing
As a Browser Guard user, you might not have noticed much difference lately. Browser Guard still blocks scams and phishing attempts just like always, and, in many cases, even better. But behind the scenes, almost everything changed. The rules that govern how browser extensions work went through a...
Malicious code in joko-tempe41-miaww (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 665bede8a24852c4de185354a8772dc6c7bc660bf2d8dcc17011e7fe925fc121 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Ensuring Safe and Reliable Updates with Qualys TruRisk™ Manifest Version Control
The Fragility of “One Bad Update” In cybersecurity, speed is non-negotiable. New vulnerabilities surface daily, and enterprises expect coverage the moment exploits are in the wild. For years, the mantra was simple: push signatures fast, and you reduce risk. Faster updates meant faster protection...
Developers Insight on Manifest V3 Privacy and Security Webextensions
Webextensions can improve web browser privacy, security, and user experience. The APIs offered by the browser to webextensions affect possible functionality. Currently, Chrome transitions to a modified set of APIs called Manifest v3. This paper studies the challenges and opportunities of Manifest...
New EOL QIDs for Microsoft Windows 7 and 2008/R2
Qualys Vulnerability Signature, version 2.4.815-2, will include EOL QIDs detections for end-of-life software for Windows 7, Windows 2008, and Windows 2008 R2. Customers will be able to scan the QIDs shown below using Qualys Vulnerability Management VM: QID 105859 - EOL/Obsolete Operating System:...