CVE-2026-44586

SiYuan (desktop) Bazaar marketplace before 3.7.0 renders package author metadata into HTML without escaping, enabling stored XSS. Because Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload could access Node.js APIs and run code on the host. A...

MAL-2025-8022 Malicious code in @hishprorg/dolorum-aut (npm)

The package @hishprorg/dolorum-aut was found to contain malicious code...

Phar unserialization vulnerability in phpMussel

Impact What kind of vulnerability is it? Who is impacted? Anyone using = v1.0.0 = v1.6.0 the earliest safe version will resolve the problem. However, as multiple new major versions have been released since that version, upgrading to the latest available version is recommended, in order to protect...

Unsafe eval()

Overview Affected versions of summit allow attackers to execute arbitrary commands via collection names when using the PouchDB driver. Recommendation No direct patch is available at this time. Currently, the best option to mitigate the issue is to avoid using the PouchDB driver, as the package...