Malicious code in search-connector-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24aea8e5a7338c49dc96e3945ed4d695024c2e169f560e6f3426005ca4666ea4 package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects host identity hostname, username, homedi...

Malicious code in @remitee-money-transfer/rmt-base (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5f21c6601855c2f2d0a5d0761d3defe8c0ba1708dd2a67fb278c03e0abd6ba16 Package ships only a preinstall lifecycle script scripts/preinstall.sh and no functional code. On npm install, the script reads /etc/passwd and...

Snappy : SSRF and local file read via the xsl-style-sheet option

Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: php $stylesheet = $GET'stylesheet'; // = ‘file:///etc/passwd’ $pdf = new...

GHSA-C5FP-P67M-GQ56 Snappy : SSRF and local file read via the xsl-style-sheet option

Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: php $stylesheet = $GET'stylesheet'; // = ‘file:///etc/passwd’ $pdf = new...

Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

Summary Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps it needs that to load function code, env vars, and config. The runtime pod's automounted token was reachable from...

GHSA-85G2-PMRX-R49Q Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

Summary Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps it needs that to load function code, env vars, and config. The runtime pod's automounted token was reachable from...

EUVD-2026-31335

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable file...

CVE-2026-39352

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above...

CVE-2026-48245 Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in tables.php

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

EUVD-2026-31328

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

CVE-2026-48244

Open ISES Tickets before 3.44.2 contains a hardcoded Google Maps API key in settings.inc.php committed to public source. The API key can be extracted by anyone with read access and used to make Google Maps Platform requests, resulting in billed usage against the original owner’s Google Cloud proj...

EUVD-2026-31323

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

CVE-2026-48243

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

CVE-2026-48241 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...

CVE-2026-48234 Open ISES Tickets < 3.44.2 SQL Injection via portal/ajax/list_requests.php sort and dir Parameters

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/listrequests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics ...

CVE-2026-48232

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsitincidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modif...

Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

Summary The fileID field from Manifest.db a SQLite database inside iOS backups, generated by the device is used directly in filesystem path construction without validation. This affects two commands through a shared code path: - mvt-ios decrypt-backup decrypt.py: fileid is used to construct both...

CVE-2026-42934

A flaw was found in the ngxhttpcharsetmodule module of NGINX. When charset, sourcecharset, charsetmap and proxypass with disabled buffering "off" directives are configured, an unauthenticated attacker can send crafted requests and cause a heap-based buffer over-read in the worker process, resulti...

GHSA-JC6W-WMFC-FH33 Klever-Go KVM read-only execution can commit contract delete and upgrade side effects

Publisher note Fixed in v1.7.17. Operators running v1.7.17 should upgrade. Contract delete and upgrade host-core paths now reject execution when runtime.ReadOnly is true. The invariant is regression-tested for delete, upgrade, storage writes, value transfers, and any VM output field that can late...

Klever-Go KVM read-only execution can commit contract delete and upgrade side effects

Publisher note Fixed in v1.7.17. Operators running v1.7.17 should upgrade. Contract delete and upgrade host-core paths now reject execution when runtime.ReadOnly is true. The invariant is regression-tested for delete, upgrade, storage writes, value transfers, and any VM output field that can late...