MAL-2026-6396 Malicious code in signup-embedder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c48f398f700b78d1893db4570d5d6f16985d937ee79677aab97e673a1cf86e7e [email protected] ships preinstall.js and postinstall.js lifecycle scripts that auto-execute on npm install. preinstall.js collects...

WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting

The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. id: CVE-2019-9881 info: name: WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting author: intelligent-ears severity:...

CVE-2026-9595

creationtimestamp| type| source ---|---|--- 2026-06-15 14:51:06+00:00| seen| https://bsky.app/profile/bjohansebas.me/post/3modjudajts2z 2026-06-15 15:06:59+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3modkqrbuns27 2026-06-17 18:51:46+00:00| seen|...

EUVD-2026-36586

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in...

Malicious code in qa-handoff (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851 On npm install, the package automatically executes lib/setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that...

CVE-2026-47908

creationtimestamp| type| source ---|---|--- 2026-06-09 22:01:49+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnv74zhxah2s...

Malicious code in ipy-rev-proxy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 591a0d253aee02115544f9bcac7609e62d8c18a9ac60cc4967d7d6e8c7f7d555 On npm install, index.js runs as a preinstall hook and POSTs hostname, username, platform, architecture, cwd, CI flags, and npm user-agent to...

CVE-2026-3637

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

CVE-2026-46605

creationtimestamp| type| source ---|---|--- 2026-05-31 18:03:18+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mn65mbrzk32l...

CVE-2026-46402

creationtimestamp| type| source ---|---|--- 2026-05-27 23:06:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmumods67b2r 2026-05-28 02:33:22+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mmuyanmsf327 2026-05-28 06:00:29+00:00| seen|...

CVE-2026-2254

creationtimestamp| type| source ---|---|--- 2026-05-27 05:17:07+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmsqwkq3f22e...

PT-2026-42751

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.2, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service serve...

CVE-2026-9126

creationtimestamp| type| source ---|---|--- 2026-05-20 20:17:06+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116608743862604761 2026-05-20 22:40:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmcxxhekzf2k 2026-05-21 17:07:07+00:00| seen|...

CVE-2026-47068

creationtimestamp| type| source ---|---|--- 2026-05-20 11:02:29+00:00| published-proof-of-concept| https://github.com/phenixdigital/phoenixstorybook/security/advisories/GHSA-mrhx-6pw9-q5fh 2026-05-20 15:28:18+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmc7sv2h5b2h 2026-06-09...

Malicious code in @solarcraft/observix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...

Malicious code in @citely/mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55faa6dd8d70be846b57b28ce2665a4a6bc1eafa6898f5f4f2cc8b25d96e1358 On startup of the documented entrypoint npx @citely/mcp-server, setupServer unconditionally invokes void runHarvest in dist/index.js. The harvester...

GHSA-V549-XX3C-6PC8 Mattermost doesn't check the create_post channel permission during post edit operations

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

Mattermost doesn't check the create_post channel permission during post edit operations

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

CVE-2026-3637

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

CVE-2026-3637 Mattermost fails to enforce create_post permission when editing posts

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...