CVE-2026-40260 pypdf: Manipulated XMP metadata entity declarations can exhaust RAM

pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has...

CVE-2026-40260

CVE-2026-40260 affects the Python library pypdf (formerly PyPDF2). The issue arises when parsing manipulated XMP metadata declarations within a PDF, causing excessive memory (RAM) usage for memory-constrained parsing workloads. Impact is described as potential large memory consumption during XMP ...

CVE-2026-33173

A flaw was found in Rails Active Storage. A remote attacker, acting as a direct-upload client, can exploit this vulnerability by manipulating metadata during file uploads. By setting internal flags, the attacker can bypass the system's automatic MIME Multipurpose Internet Mail Extensions type...

UBUNTU-CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

CVE-2026-33173 Rails Active Storage has possible content type bypass via metadata in direct uploads

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

CVE-2025-12849

The CVE-2025-12849 vulnerability affects the WordPress Contest Gallery plugin and is confirmed in connected sources as an authorization bypass in versions up to 28.0.2, exploitable via the cg_check_wp_admin_upload_v10 AJAX action that can be triggered by unauthenticated users to inject media and ...

MAL-2025-184903 Malicious code in sonic-jos-afigafoa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 40e42b3f408a4059927972a6ccbdb450ea41f696340759b2c8601b0d83466560 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-172999 Malicious code in anidta-hauli-mudisali (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a741e55406451f7974ce3d46e537940e4aee551a2494354fb4b3fea0109bd9cc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in tania-rojak94-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1479f8e46b470590a65760bff4234bb0eb698423a0812e5f29dde6c2bf1b9fa3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in scornful_finch_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ccd8715f39604a76c3d8f262424ffe102e528db174c837dd6e6c580eb2764629 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-70866 Malicious code in straightforward-chocolate-goose (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fc9c58bcd54d991b1128adbbfa1ff03885b77bd950139998dc0d02e6524ff61 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-59968

A Missing Authorization vulnerability in the Juniper Networks Junos Space Security Director allows an unauthenticated network-based attacker to read or modify metadata via the web interface. Tampering with this metadata can result in managed SRX Series devices permitting network traffic that...

EUVD-2016-1711

Malware in sbrugna...

EUVD-2021-24173

Malware in sbrugna...

EUVD-2013-4440

Malware in sbrugna...

Attractive Metadata Attack: Inducing LLM Agents to Invoke Malicious Tools

Large language model LLM agents have demonstrated remarkable capabilities in complex reasoning and decision-making by leveraging external tools. However, this tool-centric paradigm introduces a previously underexplored attack surface: adversaries can manipulate tool metadata -- such as names,...

CVE-2024-9161

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'updatemetadata' function in all versions up to, and including, 1.0.228. This makes it possible for unauthenticated...

Exploit for Unrestricted Upload of File with Dangerous Type in Cutephp Cutenews

sadnews CuteNews 2.1.2 - CVE-2019-11447 Proof-Of-Concept POC...

Privilege Escalation

openstack-barbican is vulnerable to privilege escalation. The vulnerability exists because the library allows authenticated users to add, delete or modify arbitrary metadata on any secret...

CVE-2022-24887

Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed...