Malicious code in 0x2ai-multi-mq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649 When the documented invocation npx 0x2ai-multi-mq is run, bin/start.cjs copies chatroom-mcp-lite-patched.cjs and chatroom-monitor.cjs into the user's...

MAL-2026-5600 Malicious code in 0x2ai-multi-mq (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649 When the documented invocation npx 0x2ai-multi-mq is run, bin/start.cjs copies chatroom-mcp-lite-patched.cjs and chatroom-monitor.cjs into the user's...

Security update for cockpit

This update for cockpit fixes the following issues CVE-2026-4802: remote command execution via unsanitized user-controlled parameters within crafted links in system logs UI bsc1265040. CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumptio...

SUSE-SU-2026:2363-1 Security update for cockpit

This update for cockpit fixes the following issues - CVE-2026-4802: remote command execution via unsanitized user-controlled parameters within crafted links in system logs UI bsc1265040. - CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory...

Malicious code in telebot-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3c49bb558149b55f90b708ff47e24f6f856a88abb4b2ed477633c3df43d4e2 The package advertises itself as a configurable Telegram bot server README and.env.example reference TELEGRAMBOTTOKEN and ALLOWEDUSERIDS, but the cod...

CVE-2026-10795 UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

Malicious code in @403name/fsevent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f86ca4502cc824c3684e8f1e08b088b974b4339829461b50d45e3fbc6f808eb On require, index.js runs an IIFE that gates to macOS, skips when CI or GITHUBACTIONS is set, waits 30-90 seconds, and writes a one-shot marker at...

CVE-2026-0409

A NETGEAR security issue that could allow an attacker with ability to intercept and tamper with traffic between the router and the Internet to run commands on your device when the device administrator performs certain specific management actions. This issue affects NETGEAR Orbi 370 series devices...

MAL-2026-5519 Malicious code in requests-toolbelt-plus (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae The package impersonates the popular requests-toolbelt library but ships an empty requeststoolbeltplus/init.py and places its real logic in setup.py...

SUSE-SU-2026:2350-1 Security update for wicked

This update for wicked fixes the following issues: - CVE-2026-44932: Fixed indirect remote shell command injection via unsanitized DHCP options bsc1265221...

SUSE-SU-2026:2349-1 Security update for wicked

This update for wicked fixes the following issue - CVE-2026-44932: indirect remote shell command injection via unsanitized DHCP options bsc1265221. Changes for wicked: - Update to version 0.6.79 - Fix to escape single-quotes in leaseinfo dump output used by the wicked test dhcp4 and wicked test...

samba: Remote Code Execution in SAMR

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

CVE-2026-46746

A vulnerability has been identified in SINEC INS All versions V1.0 SP2 Update 6. The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when...

CVE-2025-66273

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS...

CVE-2026-24719 QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS...

CVE-2025-66279

CVE-2025-66279 is a command-injection vulnerability affecting several QNAP OS versions. The issue allows an attacker who already has an administrator account to execute arbitrary commands remotely. Affected products/versions include QTS 5.2.9.3410 build 20260214 and later; QuTS hero h5.2.9.3410 b...

EUVD-2025-210100

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS...

CVE-2025-66273 QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS...

Exploit for CVE-2026-48732

CVE-2026-48732: Warp Remote SSH cwd Command Injection PoC...

QNAP Systems QTS和QNAP Systems QuTS hero 操作系统命令注入漏洞

QNAP Systems QTS and QNAP Systems QuTS hero are software products with data storage and management functions developed by QNAP Systems, a company based in Taiwan, China. Both products have an operating system command injection vulnerability. This vulnerability arises from command injections, whic...