CVE-2026-48527

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

Malicious Package

Overview buffer-util-extend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

EUVD-2026-33286

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

CVE-2026-48527 HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

CVE-2026-48527

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by...

ROOT-APP-NPM-CVE-2026-44573 CVE-2026-44573 in @rootio/next - Patched by Root

Root has patched CVE-2026-44573 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-41673 CVE-2026-41673 in @rootio/xmldom__xmldom - Patched by Root

Root has patched CVE-2026-41673 in the @rootio/xmldomxmldom package for Root:npm. Multiple fixed versions available...

MAL-2026-5030 Malicious code in tiny-naturalsort (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5ecbb6057e556f6985eb20768788e9f7dcf6146b3fdbe703653ce0d52c2a4a31 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5028 Malicious code in sorenson-webfonts (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis ebdc541a49aeb340c75d6a96abee6465496dc22a04e82be2f03b85b2be1c3881 The OpenSSF Package Analysis project identified 'sorenson-webfonts' @ 99.9.1 npm as malicious. It is considered malicious because: - The package...

SUSE CVE-2026-46107

In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalancechildren. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and...

SUSE CVE-2026-46175

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix fsck inconsistency caused by FGGC of node block During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data. The reproduction scenario: root@vm:/mnt/f2fs seq 1 2048 | xargs...

SUSE CVE-2026-46194

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix nodecnt race between extent node destroy and writeback f2fsdestroyextentnode does not set FINOEXTENT before clearing extent nodes. When called from f2fsdropinode with ISYNC set, concurrent kworker writeback can insert n...

Malicious code in @t-in-one/add_app_middleware_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

Malicious code in @t-in-one/send_add_application (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

MAL-2026-5045 Malicious code in @t-in-one/safe_local_storage_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

MAL-2026-5033 Malicious code in @t-in-one/add_app_middleware_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

PT-2026-44939

Name of the Vulnerable Software and Affected Versions Trilium Notes versions prior to 0.102.2 Description A malicious ZIP archive imported with safe import enabled can lead to remote code execution RCE and cross-site scripting XSS. This occurs by combining a payload note type: code, mime:...

PT-2026-45022

Summary NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as http client and http...

Linux Distros Unpatched Vulnerability : CVE-2026-46175

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - f2fs: fix fsck inconsistency caused by FGGC of node block During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written...

CVE-2026-46175

A flaw was found in the Linux kernel's f2fs filesystem. During Foreground Garbage Collection FGGC of node blocks, the system fails to properly clear internal metadata marks. This can lead to filesystem inconsistencies, where the fsck utility may misinterpret the state of migrated data. A local us...