Malicious code in lynx-keeper-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9cebbf0e6cc5a35eea6e6869d295d072526b6ff7d566c49bc80f15952138cf88 lynx-keeper-cli ships a heavily obfuscated payload in dist/index.js that runs at require time. After a CI-evasion gate that aborts when...

MAL-2026-3154 Malicious code in apple-infra-gcp-leak (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

CVE-2026-33764 AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...

CVE-2026-33764

Summary (CVE-2026-33764 / GHSA) An IDOR vulnerability exists in the AVideo AI plugin. The save.json.php endpoints for AI metatags and transcriptions load AI response objects by an attacker-controlled id without validating ownership against the target video. The authorization check validates Video...

CVE-2026-33764 AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...

CVE-2026-33764 AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user wi...

AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

Summary The AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generat...

CVE-2026-33060

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

CVE-2026-33060

CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to...

CKAN MCP Server 代码问题漏洞

CKAN MCP Server is an open-source tool developed by onData, designed for natural language queries between AI assistants and open data platforms. Versions of CKAN MCP Server prior to 0.4.85 contained code vulnerabilities. These vulnerabilities stemmed from insufficient validation of the baseurl...

PT-2025-46215

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.11.1 Description Soft Serve, a self-hostable Git server, contains a Server-Side Request Forgery SSRF issue. The application does not validate webhook URLs, which allows repository administrators to create webhook...

GHSA-7232-97C6-J525 Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server

Impact In LXD's devLXD server, the source container identification process uses process cmdline command line information, allowing attackers to impersonate other containers by spoofing process names. The core issue lies in the findContainerForPID function in lxd/apidevlxd.go. This function...

Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server

Impact In LXD's devLXD server, the source container identification process uses process cmdline command line information, allowing attackers to impersonate other containers by spoofing process names. The core issue lies in the findContainerForPID function in lxd/apidevlxd.go. This function...

Chinese Hackers Compromise Telecom Servers to Spy on SMS Messages

A group of Chinese hackers carrying out political espionage for Beijing has been found targeting telecommunications companies with a new piece of malware designed to spy on text messages sent or received by highly targeted individuals. Dubbed "MessageTap," the backdoor malware is a 64-bit ELF dat...

Cellular networks worldwide hit by hackers in espionage attempt

By Uzair Amir Cybereason, an Israeli-US security firm based in Boston, has reported that certain nation-state hackers managed to compromise the systems of no less than ten cellular carriers across the globe to steal metadata of specific users. Without naming anyone, the company claims that the...

A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata

In one case, they stole the location and call record data of 20 specific individuals...