MAL-2026-5731 Malicious code in houzidawang807 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489 Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates /.ssh for .pub...

Malicious code in houzidawang806 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2dbf603db6d0a3434c6c417dd460f26d08b9e230c03926f05987bb3841d3c72b Package self-describes as 'A simple date formatting utility' but ships two distinct attacker primitives. 1 postinstall.js enumerates /.ssh/ for .pub...

CVE-2026-45614

A flaw was found in OP-TEE Trusted Execution Environment. This vulnerability allows a local attacker to reconstruct the private key by providing approximately 30-40 specially crafted public keys during the Elliptic Curve Diffie-Hellman ECDH shared secret generation. The system fails to verify if...

EUVD-2026-34159

OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Prior to version 4.11.0, on many of the ECDH shared secret paths, the public key isn't verified to be a point on the correct curve. By...

CVE-2026-45614

OP-TEE up to version 4.10.x is vulnerable in ECDH shared secret paths where the public key isn’t verified as a valid curve point. An attacker with local access can inject ~30–40 crafted public keys to force key derivation (TEE_DeriveKey) and leak d mod r across calls, enabling recovery of the pri...

CVE-2026-45614 OP-TEE vulnerable to ECDH private key recovery

OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Prior to version 4.11.0, on many of the ECDH shared secret paths, the public key isn't verified to be a point on the correct curve. By...

Linux Distros Unpatched Vulnerability : CVE-2026-45614

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology...

PT-2026-42670

Name of the Vulnerable Software and Affected Versions Nimiq versions prior to 1.4.0 Description A denial-of-service issue exists in the Ed25519 multisig delinearization code path. The function Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs uses .unwrap during curve point decompression,...

CVE-2026-42859 Neat VNC: Buffer overflow due to oversized RSA public keys

Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 RSA-AES or security type 129 RSA-AES-25...

RHCOS 4 : OpenShift Container Platform 4.5 (RHSA-2020:2413)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2413 advisory. - kubernetes: credential leak in kube-controller-manager via error messages in mount failure logs and events for AzureFile and CephF...

PT-2026-37312

Name of the Vulnerable Software and Affected Versions phpseclib versions prior to 1.0.29 phpseclib versions prior to 2.0.54 phpseclib versions prior to 3.0.52 Description phpseclib is a PHP secure communications library. An issue exists where loading untrusted ASN1 files, such as X509 certificate...

Astra Linux - Vulnerability in Golang-1.19

Extremely large RSA keys in certificate chains can cause clients and servers to spend significant CPU time verifying signatures. With this fix, the size of RSA keys transmitted during handshake operations is limited to 8192 bits or less. Based on a survey of publicly trusted RSA keys, there are...

CLSA-2026-1777545003 rpm: Fix of CVE-2021-3521

CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...

CLSA-2026-1777539405 rpm: Fix of CVE-2021-3521

CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...

CLSA-2026-1777539108 rpm: Fix of CVE-2021-3521

CVE-2021-3521: validate and require subkey binding signatures on PGP public keys...

CVE-2026-34950 fast-jwt has an incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

fast-jwt provides fast JSON Web Token JWT implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patch...

CVE-2026-29133

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address...

PT-2026-29694

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to upload PGP keys with UIDs that do not match their email address...

Malicious code in @metaplex-foundations/umi-public-keys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48abfc0f902cd0f09b0c2ae7449eaefbf3b4baf1cb12e4165f509b86f7ad8692 The package @metaplex-foundations/umi-public-keys was found to contain malicious code. Source: ghsa-malware...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the wceccimportx963ex function when handling EC public key points in the KCAPI ECC code path. An attacker can cause memory corruption and potentially execute arbitrary code by sending a crafted oversized EC...