256589 matches found
Malicious code in chalk-ultra (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a219b45c3fdcdb883eeb2c7e74d20060af2c788865e7925f911e40276dcd631 chalk-ultra is published under a name that mimics the widely-used chalk package, but its main is a verbatim copy of nodemailer source and its...
CVE-2026-35018
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...
EUVD-2026-38455
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...
CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...
CVE-2026-28496
CVE-2026-28496 (FOSSBilling) affects versions prior to 0.8.0, where a Server-Side Template Injection (SSTI) in Twig template rendering allows an attacker with access to template-rendering features (email templates, mass mail campaigns, custom payment adapters, string_render API) to inject arbitra...
Malicious code in ttal2ttml (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4 package.json declares a preinstall lifecycle script that runs node -e "tryrequire'childprocess'.execSync'curl -sf...
CVE-2026-35018
NetComm NF20MESH routers running firmware R6B031 and earlier are affected by an authenticated remote code execution vulnerability. The flaw resides in dalStorage_addUserAccount where shell metacharacters injected into the username JSON parameter are unsafely concatenated into a shell command stri...
EUVD-2026-38452
NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...
CVE-2026-56315
picklescan before 1.0.4 fails to block at least seven Python standard library modules including uuid, osxsupport, aixsupport, pyrepl.pager, and imaplib exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked...
CVE-2025-71365
picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded...
CVE-2025-71341
picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution whe...
CVE-2026-56315
CVE-2026-56315 affects the Python tool picklescan until version 1.0.4, which fails to block imports from at least seven standard library modules (e.g., uuid, _osx_support, _aix_support, _pyrepl.pager, imaplib). This allows adversaries to craft pickle files that import these unblocked modules to t...
EUVD-2026-38437
picklescan before 1.0.4 fails to block at least seven Python standard library modules including uuid, osxsupport, aixsupport, pyrepl.pager, and imaplib exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked...
CVE-2026-56315 picklescan - Remote Code Execution via Unblocked Standard Library Modules
picklescan before 1.0.4 fails to block at least seven Python standard library modules including uuid, osxsupport, aixsupport, pyrepl.pager, and imaplib exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked...
CVE-2026-56274
Flowise
CVE-2025-71370
Vulnerability summary (CVE-2025-71370): picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper function calls embedded in pickle files. Attackers can craft malicious pickle files that bypass picklescan detection and execute arbitrary code when loaded via p...
CVE-2025-71341
CVE-2025-71341 : The affected component is picklescan (versions before 0.0.29). The root cause is that the analyzer fails to detect the profile.Profile.runctx function when inspecting pickle files, specifically in the reduce method. This enables remote attackers to craft pickle payloads that embe...
CVE-2025-71365
picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded...
EUVD-2025-210306
picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py.crackfortran.myeval function through the reduce method. Attackers can craft malicious pickle files embedding arbitrary code that evades picklescan detection and executes remote code when loaded...
EUVD-2025-210305
picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing pickle files, allowing attackers to embed undetected malicious code. Remote attackers can craft malicious pickle files using profile.Profile.runctx in the reduce method to achieve remote code execution whe...