1833 matches found
MAL-2026-10534 Malicious code in motion-pull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4e50d15810c044b3b0355460fdeacea42d89944d351e74bcce9fd976f91915ea [email protected] impersonates the pino logger exports module.exports.pino = middleware, uses logger-themed keywords, ships a ./pino require target...
Malicious code in motion-pull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4e50d15810c044b3b0355460fdeacea42d89944d351e74bcce9fd976f91915ea [email protected] impersonates the pino logger exports module.exports.pino = middleware, uses logger-themed keywords, ships a ./pino require target...
EUVD-2026-43578
A security vulnerability has been detected in wandb 0.25.2.dev1. Affected is the function ArtifactManifestEntry.download in the library wandb/sdk/lib/hashutil.py of the component Artifact Integrity Validation. The manipulation leads to use of weak hash. The attack may be initiated remotely. A hig...
CVE-2026-15529 yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization
A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2. Affected is the function pyod.utils.persistence.load of the file pyod/utils/persistence.py. Performing a manipulation of the argument path results in deserialization. The attack can be initiated remotely. The pull request to fix thi...
EUVD-2026-42727
A vulnerability was detected in lo48576 fbxcel up to 0.9.0. This affects an unknown part of the file src/pullparser/v7400/parser.rs of the component Node Header Handler. The manipulation results in denial of service. The attack must be initiated from a local position. The exploit is now public an...
CVE-2026-15311 NousResearch hermes-agent Matrix Adapter matrix.py MatrixAdapter._markdown_to_html cross site scripting
A vulnerability was identified in NousResearch hermes-agent up to 2026.5.29.2. Affected by this issue is the function MatrixAdapter.markdowntohtml of the file gateway/platforms/matrix.py of the component Matrix Adapter. Such manipulation leads to cross site scripting. The attack can be executed...
CVE-2026-45788
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pullhotlinkedimages when an attacker knew the secured upload URL and the secureuploads site setting was enabled. This issue is fixed in versions 2026.6.0,...
CVE-2026-15276
Symphonia (pdeljanov) up to version 0.6.0 exposes a denial-of-service vulnerability in the Metadata Handler. The issue affects unknown code paths; exploitation requires local access and a publicly published exploit exists. A fix is in a pull request but has not yet been accepted. The advisory not...
CVE-2026-15276 pdeljanov Symphonia Metadata denial of service
A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been published and may be used. The pull request to fix this...
CVE-2026-15274 lo48576 fbxcel Node Header parser.rs denial of service
A vulnerability was detected in lo48576 fbxcel up to 0.9.0. This affects an unknown part of the file src/pullparser/v7400/parser.rs of the component Node Header Handler. The manipulation results in denial of service. The attack must be initiated from a local position. The exploit is now public an...
CVE-2026-15274
Summary of CVE-2026-15274 (lo48576 fbxcel) : Affects the product line lo48576 fbxcel up to version 0.9.0. The issue targets an unknown part of the Node Header Handler, specifically the file src/pull_parser/v7400/parser.rs, where manipulation leads to a Denial of Service. Access is required from a...
CVE-2026-15274
A vulnerability was detected in lo48576 fbxcel up to 0.9.0. This affects an unknown part of the file src/pullparser/v7400/parser.rs of the component Node Header Handler. The manipulation results in denial of service. The attack must be initiated from a local position. The exploit is now public an...
CVE-2026-15193 AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection
A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only ...
CVE-2026-14362
A flaw was found in HashiCorp memberlist. An attacker with network access to the gossip port could exploit a vulnerability in the push/pull state handling. This could lead to memory exhaustion on a receiving node, causing the process to terminate. This flaw results in a Denial of Service DoS...
CVE-2026-14362
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability CVE-2026-14362 is fix...
CVE-2026-14362
The CVE-2026-14362 entry applies to HashiCorp’s memberlist prior to version 0.6.0. The vulnerability resides in the push/pull gossip state handling, allowing an attacker with network access to the gossip port to exhaust memory on a receiving node, leading to process termination. Impact is a denia...
CVE-2026-14362 Denial of service via crafted push/pull gossip message in memberlist
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability CVE-2026-14362 is fix...
CVE-2026-54344
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a...
CVE-2026-54344 ToolJet GitHub Actions comment body shell injection exposes deployment secrets
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a...
CVE-2026-50015
A flaw was found in pnpm. An attacker can exploit this by contributing a malicious patch file through a pull request. During the pnpm install process, the patch application pipeline fails to validate file paths extracted from these patch files. This allows the attacker to write or delete arbitrar...