Malicious Package

Overview wm-plugin-native-functions-restorer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

EUVD-2025-44038

A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources. By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's...

CVE-2021-46433

In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCodeto bypass sandbox to execute arbitrary PHP code when disablenativefuncs is true...

Deno improperly handles resizable ArrayBuffer

Impact Resizable ArrayBuffers passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not...

SUSE CVE-2013-2065

1 DL and 2 Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions...

fenom 安全漏洞

fenom is a lightweight and fast PHP template engine. fenom 2.12.1 and earlier versions are vulnerable to code injection, which stems from a failure to properly filter the construct command special characters, commands, etc. in the getTemplateCode function of fenom/src/Fenom/Template.php, which ca...

ASB-A-171400004

In several native functions called by AdvertiseManager.java, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation...

Chrome Universal XSS via the interception of |Binding| with Object.prototype.create (CVE-2016-1674)

VULNERABILITY DETAILS The fix for the issue 590118 is insufficient to protect against the bindings interception. While they can't be accessed by triggering accessors on the |modules| object anymore, it's still possible to trap the set operation for |Binding. create| using the Object. prototype...

Chrome Universal XSS using an intercepted native function (CVE-2016-1672)

VULNERABILITY DETAILS The fix for the issue 546677 is insufficient to protect against overriding the internal extensions code -- it is still possible to take over the built-in extension system with a combination of getters and setters. This allows web content to gain access to native functions th...

Safari Browser: Builtin JavaScript allows Function.caller to be used in strict mode(CVE-2017-2446)

If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call the Function. caller and can obtain a reference to the strict function. This is inconsistent with the behavior when executing non-builtin scripts in Safari, and the...