MAL-2026-3677 Malicious code in 8oo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c949ba1ac1cd3a6c96d3f1fc8c32cdc64cb9474fa07dd6633ebf4f69073a495 The package's main entry index.js executes an IIFE at require time that loads 66o.js, which replaces the global console with a Proxy. Every intercept...

CVE-2026-41646

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

CVE-2026-41646

Summary (CVE-2026-41646) : Nuclei prior to 3.8.0 is vulnerable where the JavaScript protocol runtime allows templates to read local .js/.json files via the require() function, bypassing the local-file-access restriction. Affected versions range from 3.0.0 up to, but not including, 3.8.0. The issu...

CVE-2026-41646 Nuclei: Local File Read via require() Module Loader Bypass

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

CVE-2026-41646

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

CVE-2026-41646 Nuclei: Local File Read via require() Module Loader Bypass

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

Nuclei 访问控制错误漏洞

Nuclei is a fast-customizable vulnerability scanner based on simple YAML, open-sourced by ProjectDiscovery. In versions 3.0.0 to 3.8.0 of Nuclei, there was an access control vulnerability. This vulnerability stemmed from the JavaScript protocol’s runtime feature, which allowed reading of local.js...

vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...

GHSA-8HG8-63C5-GWMX vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...

Improper Isolation or Compartmentalization

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when th...

GHSA-CP6G-6699-WX9C vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...

vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...

GHSA-4FM3-GGG2-C6QX AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption

Summary The /api/internal/stationid/liquidsoap/action endpoint is accessible from the public web interface because it lacks the RequireInternalConnection middleware that protects other internal endpoints /sftp-auth, /sftp-event. Combined with a logic flaw where the $asAutoDj flag is set based on...

MAL-2026-3182 Malicious code in redeem-onchain-sdk (npm)

redeem-onchain-sdk is a malicious npm package impersonating a Polymarket on-chain SDK. It collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and a month of git commit history, then ships everything over a raw TCP socket to an AWS-hosted C2. Two trigge...

CLSA-2026-1777445542 libssh2: Fix of 2 CVEs

CVE-2019-3858: fix zero-byte allocation in sftppacketread - CVE-2019-3859: fix out-of-bounds reads in libssh2packetrequire...

CLSA-2026-1777036898 libssh2: Fix of 2 CVEs

CVE-2019-3858: fix zero-byte allocation in sftppacketread - CVE-2019-3859: fix out-of-bounds reads in libssh2packetrequire...

GHSA-H829-5CG7-6HFF gitverify has improper tag signature verification

gitverify is still a prototype. Impact The bug is related to requireSignedTags which is on by default: an unsigned annotated tag would pass the verification. The commit pointed to by the tag would still have to be signed by a maintainer or a contributor. Patches Since the initial commit, fixed in...

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection vi...

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the...