MAL-2026-5445 Malicious code in grateful-payments (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471 On npm install, the package's postinstall script src/canary.js performs a DNS lookup and HTTPS GET to the hardcoded host...

Malicious code in exodus-solana-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ecffe98bff5e1c4655631cf8f92b1b1ccb534e0eeaa7043fab0d5fa1fbfabc35 Package name impersonates the Exodus cryptocurrency wallet brand exodus-solana-sdk. package.json declares a postinstall hook node src/canary.js that...

Malicious code in exodus-ethereum-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4e52a42f8980da0a9df361ef772ca31bbdaec85eb3fc7a73dbcfc8b5ca6894a Package name impersonates the Exodus cryptocurrency wallet brand and ships no real functionality src/index.js exports an empty object; package.json...

MAL-2026-5440 Malicious code in exodus-ethereum-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4e52a42f8980da0a9df361ef772ca31bbdaec85eb3fc7a73dbcfc8b5ca6894a Package name impersonates the Exodus cryptocurrency wallet brand and ships no real functionality src/index.js exports an empty object; package.json...

Malicious code in @klapp-login-platform/native-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b3bc8633d15b44abc90074d3362fd9399f53d10a88e24264caee9d924a72bb6 On npm install, the package's preinstall lifecycle hook runs node index.js, which collects installer-side identifiers — os.hostname,...

CVE-2026-45503

Server-side request forgery ssrf in Microsoft Exchange Server allows an authorized attacker to disclose information over a network...

CVE-2026-42767

Issue summary: An attacker-controlled CMP Certificate Management Protocol server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server or acti...

CVE-2026-45504

CVE-2026-45504 is an SSRF-based elevation of privilege in Microsoft Exchange Server . The entry notes an attacker who is authorized can elevate privileges over the network. CVSS v3.1 base score is 8.8 (HIGH) with NETWORK attack vector, LOW attack complexity, and LOW privileges required, with NONE...

USN-8413-1 cyborg vulnerabilities

It was discovered that Cyborg did not properly enforce project ownership in the Accelerator Request ARQ API. An authenticated user could possibly use this issue to delete ARQs bound to other projects' instances, resulting in a cross-tenant denial of service. CVE-2026-40214 It was discovered that...

CVE-2026-42767

The CVE-2026-42767 issue affects the OpenSSL CMP client: processing a CRMF CertRepMessage with EncryptedValue where symmAlg has an OID but no parameters can trigger a NULL pointer dereference, crashing the CMP client and enabling DoS. The vulnerability is due to improper handling during CMP respo...

CVE-2026-42767 NULL Pointer Dereference in CRMF EncryptedValue Decryption

Issue summary: An attacker-controlled CMP Certificate Management Protocol server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server or acti...

CVE-2026-35188 Double-free When Checking OCSP Stapled Response

Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the statusrequest extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt heap memory via a...

CVE-2026-49842 FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, modverto's WebSocket frame loop intercepts a -prefixed speed-test protocol SPU / SPB / SP...

CVE-2026-49841 FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the modverto HTTP request handler allocates a fixed 2 MiB buffer for a POST...

EUVD-2026-35472

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the modverto HTTP request handler allocates a fixed 2 MiB buffer for a POST...

MAL-2026-5396 Malicious code in @sqlite-node/createsql (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6 The package advertises itself as a SQLite toolkit but ships no SQLite functionality. Its main entry index.js is a single heavily obfuscated module...

CVE-2026-11491

A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/Allnotice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input as part of POST leads to cross site scripting. It...

GHSA-3QP7-7MW8-WX86 vulnerabilities

Vulnerabilities for packages: wildfly, cassandra-reaper, keycloak, keycloak-fips, pinot, hono, camunda, camunda-zeebe, zookeeper-fips, apache-nifi, s3proxy-fips, strimzi-kafka-operator-fips, request-9047-keycloak-fips, flyway-fips, management-api-for-apache-cassandra-4.0, zookeeper, infinispan,...

CVE-2026-45416 vulnerabilities

Vulnerabilities for packages: wildfly, cassandra-reaper, keycloak, keycloak-fips, pinot, hono, camunda, camunda-zeebe, zookeeper-fips, apache-nifi, s3proxy-fips, strimzi-kafka-operator-fips, request-9047-keycloak-fips, flyway-fips, management-api-for-apache-cassandra-4.0, zookeeper, infinispan,...

CVE-2026-44249 vulnerabilities

Vulnerabilities for packages: wildfly, cassandra-reaper, keycloak, keycloak-fips, pinot, hono, camunda, camunda-zeebe, zookeeper-fips, apache-nifi, s3proxy-fips, strimzi-kafka-operator-fips, request-9047-keycloak-fips, flyway-fips, management-api-for-apache-cassandra-4.0, zookeeper, infinispan,...