NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

Summary NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass...

CVE-2026-21944

Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain component: Product Quality Management. The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to...

CVE-2026-21969

Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain component: Supplier Portal. The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle...

CVE-2026-21944

Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain component: Product Quality Management. The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to...

EUVD-2025-177624

Malicious code in new-optimize-async-spy-process npm...

EUVD-2025-121788

Malicious code in spectron-webdriver-process-yonder-antd npm...

EUVD-2025-123082

Malicious code in pulsar-process-postgres-sedna npm...

SUSE-SU-2025:03210-1 Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP6)

This update for the Linux Kernel 6.4.0-1506002333 fixes several issues. The following security issues were fixed: - CVE-2025-38087: net/sched: fix use-after-free in tapriodevnotifier bsc1245504. - CVE-2025-21999: proc: fix UAF in procgetinode bsc1242579. - CVE-2025-38001: netsched: hfsc: Address...

memcg: fix soft lockup in the OOM process

...

Malicious code in dysonswarm-antares-eventhoriz-process (npm)

The package dysonswarm-antares-eventhoriz-process was found to contain malicious code...

CVE-2024-9714 Trimble SketchUp Viewer SKP File Parsing Use-After-Free Remote Code Execution Vulnerability

Trimble SketchUp Viewer SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp Viewer. User interaction is required to exploit this vulnerability in that the target mus...

CVE-2024-50187

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Stop the active perfmon before being destroyed Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in vc4perfmonclosefile, the active performance monitor's...

CVE-2024-50187 drm/vc4: Stop the active perfmon before being destroyed

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Stop the active perfmon before being destroyed Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in vc4perfmonclosefile, the active performance monitor's...

Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Cybersecurity researchers have discovered a new malicious Python package that masquerades as a cryptocurrency trading tool but harbors functionality designed to steal sensitive data and drain assets from victims' crypto wallets. The package, named "CryptoAITools," is said to have been distributed...

CVE-2024-8590

A maliciously crafted 3DM file when parsed in atfapi.dll through Autodesk AutoCAD can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, write sensitive data, or execute arbitrary code in the context of the current process...

CVE-2024-50031

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop the active perfmon before being destroyed When running kmscube with one or more performance monitors enabled via GALLIUMHUD, the following kernel panic can occur: 55.008324 Unable to handle kernel paging request at...

CVE-2024-50031 drm/v3d: Stop the active perfmon before being destroyed

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop the active perfmon before being destroyed When running kmscube with one or more performance monitors enabled via GALLIUMHUD, the following kernel panic can occur: 55.008324 Unable to handle kernel paging request at...

CVE-2024-49854

In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing wakerbfqq after splitting After commit 42c306ed7233 "block, bfq: don't break merge chain in bfqsplitbfqq", if the current procress is the last holder of bfqq, the bfqq can be freed after...

CVE-2024-47739

In the Linux kernel, the following vulnerability has been resolved: padata: use integer wrap around to prevent deadlock on seqnr overflow When submitting more than 2^32 padata objects to padatadoserial, the current sorting implementation incorrectly sorts padata objects with overflowed seqnr,...

Denial of service in http-proxy-middleware

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service DoS due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths...