Malicious code in eixp4ressz (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ba71706cf48badd366c9b3be4d6645698df1943a258c9f768f2b63c1b9ce7f The package eixp4ressz was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2436 Malicious code in eixp4ressz (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ba71706cf48badd366c9b3be4d6645698df1943a258c9f768f2b63c1b9ce7f The package eixp4ressz was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in experedzss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f70a37180c88f0ddd0cc94346d4bb7703667321771ecc6de6c9c74f03a77f464 The package experedzss was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2440 Malicious code in experedzss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f70a37180c88f0ddd0cc94346d4bb7703667321771ecc6de6c9c74f03a77f464 The package experedzss was found to contain malicious code. Source: ossf-package-analysis...

perl-YAML-Syck: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter

Multiple security issues have been discovered in the perl YAML::Syck module. A heap overflow occurs when class names exceed the initial 512-byte allocation, a base64 decoder could read past the buffer end on trailing newlines. strtok mutated n-typeid in place, corrupting shared node data, and a...

MAL-2026-2424 Malicious code in bytefrontier-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0a29cf25347b160fe6625e86e0df46723174e739cebc771b5d08eab295a68aae The package bytefrontier-sdk was found to contain malicious code. Source: ghsa-malware 6f9b7385e8f58c8b6fad1067fb18e542229655e25153a257aaad92c7a9cc96...

Malicious code in partner-tracker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0b992863c06f797a9dddef6a493b0391094c9a2ae31fec47e961dd1afdf562 The package partner-tracker was found to contain malicious code. Source: ghsa-malware cfd28d767cd7e0db43c5c52d0b219663552acd6a5f60a34795736624c5cb612...

MAL-2026-2427 Malicious code in partner-tracker-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abcff950068cf454cf07ead8614f95dd6291f4204f72ada102c7b4c3d72c0cd1 The package partner-tracker-api was found to contain malicious code. Source: ghsa-malware...

Malicious code in vv-ftend-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3096bbbc1b06c1a0df854ff812112a3d902b8a5c8926880c146f8b36e8497897 The package vv-ftend-core was found to contain malicious code. Source: ghsa-malware 31aa4449ee3c83b67dd8e118498746b83b9b02e0d8fe6c095f6d08f6c7a9b62e...

CVE-2026-23415

In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futexkeytonodeopt and vmareplacepolicy During futexkeytonodeopt execution, vma-vmpolicy is read under speculative mmap lock and RCU. Concurrently, mbind may call vmareplacepolicy which frees the old mempoli...

CVE-2026-23415

In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futexkeytonodeopt and vmareplacepolicy During futexkeytonodeopt execution, vma-vmpolicy is read under speculative mmap lock and RCU. Concurrently, mbind may call vmareplacepolicy which frees the old mempoli...

CVE-2026-23415

The CVE-2026-23415 issue affects the Linux kernel futex subsystem. A race occurs between futex_key_to_node_opt() reading vma->vm_policy under speculative mmap lock/RCU and mbind() calling vma_replace_policy(), which can free the old mempolicy via kmem_cache_free(). This leads to a use-after-fr...

MAL-2026-2421 Malicious code in @mgcrae/pino-pretty-logger (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c31dc9253706aebd955016075e321d19d7dfc9b231882d7b24a6c932fa3dfa80 The package @mgcrae/pino-pretty-logger was found to contain malicious code. Source: ghsa-malware...

Atlassian Jira Service Management Data Center and Server 5.15.2 < 10.3.18 / 10.4.x < 11.3.3 (JSDSERVER-16528)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16528 advisory. - node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link...

PT-2026-29722

In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex key to node opt and vma replace policy During futex key to node opt execution, vma-vm policy is read under speculative mmap lock and RCU. Concurrently, mbind may call vma replace policy which frees th...

PT-2026-29941

Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel...

GHSA-VX58-FWWQ-5G8J NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...

NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the NGAP handover failure message processing. An attacker can cause the service to crash and disrupt connectivity for all users by forcing a gNodeB to send NGAP handover failure messages. Remediation Upgrade...

dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration

Summary A stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because...