Malicious code in request-js-validator (npm)

Copy of 'request' library with injected payload. Spawns detached child process that fetches stage-2 and executes via new Function.constructor'require', payload. Same pattern as express-session-js. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...

CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...

CVE-2025-47391

CVE-2025-47391 corresponds to a memory corruption issue described in connected records as a stack-based buffer overflow in a camera driver, triggered during processing of a frame request from user. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector with low pr...

CVE-2025-47391 Stack-based Buffer Overflow in Camera Driver

Memory corruption while processing a frame request from user...

CVE-2025-47390 Buffer Over-read in Camera

Memory corruption while preprocessing IOCTL request in JPEG driver...

EUVD-2026-19241

A vulnerability was identified in Free5GC 4.2.0. This affects an unknown function of the component NGSetupRequest Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit is publicly available and might be used...

CVE-2026-5661

A vulnerability was identified in Free5GC 4.2.0. This affects an unknown function of the component NGSetupRequest Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit is publicly available and might be used...

BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...

CVE-2026-32871

A flaw was found in FastMCP. An authenticated attacker can exploit a path traversal vulnerability in the buildurl method of the RequestDirector class. By manipulating path parameters in an OpenAPI operation, an attacker can use directory traversal sequences ../ to bypass the intended API prefix...

CVE-2026-5661 Free5GC NGSetupRequest denial of service

A vulnerability was identified in Free5GC 4.2.0. This affects an unknown function of the component NGSetupRequest Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit is publicly available and might be used...

CVE-2026-5661

The CVE-2026-5661 affects Free5GC 4.2.0, specifically the NGSetupRequest Handler. The vulnerability allows denial of service via remote manipulation of the NGSetupRequest function. The attack can be launched remotely, and a public exploit is available. No remediation details are provided in the s...

CVE-2026-5644

A security flaw has been discovered in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Affected is an unknown function of the file /admin/Add%20notice/batch-notice.php. Performing a manipulation of the argument $SERVER'PHPSELF' results in cross site scripting...

CVE-2026-5642

A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It ...

CVE-2026-5642 Cyber-III Student-Management-System HTTP POST Request update.php improper authorization

A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown function of the file /viva/update.php of the component HTTP POST Request Handler. This manipulation of the argument Name causes improper authorization. It ...

CVE-2026-5642

Cyber-III Student-Management-System is affected up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f. The vulnerability lies in the HTTP POST Request Handler for /viva/update.php where manipulating the argument Name causes improper authorization. It can be initiated remotely and an exploit has b...

Server-side Request Forgery (SSRF)

Overview gpt-researcher is a GPT Researcher is an autonomous agent designed for comprehensive web research on any task Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ws Endpoint component when processing the sourceurls argument. An attacker can access...

CVE-2026-31409 ksmbd: unset conn->binding on failed binding request

In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn-binding on failed binding request When a multichannel SMB2SESSIONSETUP request with SMB2SESSIONREQFLAGBINDING fails ksmbd sets conn-binding = true but never clears it on the error path. This leaves the connectio...

EUVD-2026-19164

A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity ...

CVE-2026-5623

A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affects an unknown part of the file server/front/src/index.ts of the component Import Endpoint. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly availabl...