Malicious code in xy-ai-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5f9025a3fddb0d31a5cd9114850b0ca859acf96e54649d4d2a9fe286b7ca015c xy-ai-chat ships a Lit web component whose bundled main entry hardcodes two plain-HTTP endpoints on a bare IPv4 address:...

Malicious code in @hanssoft/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd This package is a fork of the WhatsApp library Baileys whose metadata homepage, repository, author points at the upstream @whiskeysockets/baileys,...

Malicious code in naileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53307e8df479525765ddef8cf9a54dcf0aa368b8ef57a088b624a5e80f72c999 naileys is a fork/lookalike of the WhatsApp library baileys single-character edit; internal references still mention 'wileys', and...

Malicious code in eplang (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d53e4571f8ccfc385a265dfd47cbea9793946762a794aff432e98614ee10b21 The package ships epl/.aiconfig.json containing a hardcoded Groq API key with provider set to 'groq'. On any AI-related CLI invocation epl ai, epl ge...

MAL-2026-4748 Malicious code in eplang (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d53e4571f8ccfc385a265dfd47cbea9793946762a794aff432e98614ee10b21 The package ships epl/.aiconfig.json containing a hardcoded Groq API key with provider set to 'groq'. On any AI-related CLI invocation epl ai, epl ge...

iskorotkov/avro: Denial-of-Service Vulnerability in Decoder

Memory Exhaustion via Unbounded Map Allocations in Avro Decoder Summary The Avro map decoder accepted attacker-controlled block-element counts from the wire format and grew the destination map without enforcing an upper bound. The slice decoder already had Config.MaxSliceAllocSize for the...

Android Adds Intrusion Logging for Sophisticated Spyware Forensics

Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode, enables "persistent and privacy-preserving forensics logging to allow for...

GHSA-9J32-3M66-MC4M Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2xcp-x87w-q377. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the...

CVE-2026-45002

OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls...

Fedora 44 : gh (2026-5df889949e)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-5df889949e advisory. Update to 2.92.0 and make telemetry sending opt in. Tenable has extracted the preceding description block directly from the Fedora security advisory...

NPM: OpenClaw: Hook mapping templates could bypass hook session-key opt-in

NPM: OpenClaw: Hook mapping templates could bypass hook session-key opt-in vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

GHSA-2XCP-X87W-Q377 OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when...

wlc: print_html outputs API data without HTML escaping

Impact The HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. Patches https://github.com/WeblateOrg/wlc/pull/1327 Workarounds The only vulnerable code path is HTML output which is opt-in. Reference...

Global Web, Local Privacy? an International Review of Web Tracking

Web tracking by ad networks, social networks, and other third parties is privacy-invasive. To protect users' privacy an increasing number of countries are adopting new privacy laws. However, a major reason why their application on the web is so challenging is that privacy laws are local while the...

📄 Pachno 1.0.6 Cross Site Request Forgery

Pachno version 1.0.6 suffers from a cross site request forgery vulnerability. Pachno 1.0.6 Cross-Site Request Forgery Vendor: Daniel André Eikeland Product web page: https://github.com/pachno/pachno Affected version: 1.0.6 Summary: Pachno is an open-source collaboration platform formerly known as...

Pachno 1.0.6 Cross-Site Request Forgery

Summary Pachno is an open-source collaboration platform formerly known as The Bug Genie designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public...

OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.

Summary Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric userid recorded by the webhook event. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

CVE-2025-53222

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through = 1.7.3...

EUVD-2025-208860

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Opt-In Builder allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through 1.7.3...

CVE-2025-53222

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through = 1.7.3...