MAL-2026-3637 Malicious code in intercom-php (Packagist)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 0bd33abd6fda35e856f8346fda5e85913ce2cad6b4d6c315a2e7138b867760aa This package is malicious and was compromised as part of the Mini Shai-Hulud campaign by the TeamPCP threat actor. The malicious payload...

MAL-2026-3653 Malicious code in @design-system-coopeuch/web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233 Package @design-system-coopeuch/[email protected] is a dependency-confusion squat of an internal-looking scope, published at an inflated 999.x version to...

MAL-2026-3650 Malicious code in microsoft-applicationinsights-common (npm)

Two malicious npm packages published by the micresoft account typosquatting "microsoft" are part of a coordinated supply chain attack sharing identical infrastructure with packages published by the superbase account. Each package bundles a 4.5 MB statically-linked, UPX-packed ELF binary at...

PT-2026-40836

Name of the Vulnerable Software and Affected Versions Node View Permissions versions 0.0.0 through 1.6.x Node View Permissions versions 2.0.0 through 2.0.0 Description An improper check for unusual or exceptional conditions in the Node View Permissions module allows forceful browsing. The module...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities arise from the ability to bypass NodeVM’s...

vm2 访问控制错误漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node.js modules listed in the allowlist. Versions of vm2 prior to 3.11.1 had an access control vulnerability. This vulnerability arises when nesting is set to true when...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from sandbox boundary violations. During...

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

Next.js 代码问题漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.13 to 15.5.16, as well as versions before 16.2.5, have code vulnerabilities. These vulnerabilities stem from the use of the built-in Node.js server for hosting. When a custom WebSocket upgrade request is made, it ma...

Linux Distros Unpatched Vulnerability : CVE-2026-44301

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node- based asset pipelines PostCSS, Babel, TailwindCSS, Hugo...

PT-2026-40730

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 0.0.0-20260421031503-96dfe0bea474 Description A stored cross-site scripting XSS issue exists in the Bazaar marketplace. The application fails to sanitize the name and version fields in package metadata files such as...

CVE-2026-42156 Flowsint: Cypher query injection in node type on node creation

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher...

CVE-2026-42156 Flowsint: Cypher query injection in node type on node creation

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher...

CVE-2026-42156

Summary : CVE-2026-42156 affects Flowsint, an open-source OSINT graph exploration tool. Before version 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query, enabling execution of arbitrary Cypher queries. The issue is fixed in 1.2.3. Impact and...

CVE-2026-42156

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher...

CVE-2026-42157 Flowsint: Stored XSS on map node marker in map page

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is...

CVE-2026-42157

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is...

CVE-2026-42157 Flowsint: Stored XSS on map node marker in map page

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is...

CVE-2026-42157

CVE-2026-42157 concerns Flowsint, an open-source OSINT graph exploration tool. Affected behavior: prior to version 1.2.3, an attacker could create a map node with a malicious HTML label; when the map tab is active and a node marker is selected, the HTML could render and trigger stored XSS. Impact...

DEBIAN-CVE-2026-44301

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...