MAL-2026-4412 Malicious code in @onerjs/procedural-textures (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0986739ab06b1514203d94938604b093b9ddfa2126a452ae0cc92795123a153a Package is published as @onerjs/procedural-textures but its metadata identifies it as the Babylon.js Procedural Textures Library: package.json declar...

Mattermost Server 11.5.x < 11.5.2 Missing Authorization (MMSA-2026-00645)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2026-00645 advisory. - Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker t...

Mattermost doesn't verify channel membership when processing AI-assisted message rewrites

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

EUVD-2026-30753

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

CVE-2026-5163

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

PT-2026-41655

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

HTTP Request Smuggling

Next.js is vulnerable to HTTP Request Smuggling. The vulnerability is due to improper handling of Transfer-Encoding: chunked and Content-Length headers during proxy rewrites, which allows an attacker to craft malicious DELETE/OPTIONS requests and smuggle unauthorized requests to unintended backen...

Next.js Framework 9.5.x < 15.5.3 / 16.x < 16.1.7 HTTP Request Smuggling (GHSA-ggv3-7p47-pfv8)

The Next.js Framework on the remote host is affected by an HTTP request smuggling vulnerability: - A vulnerability exists in Next.js proxy rewrites where a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. An...

CVE-2026-29057 Next.js: HTTP request smuggling in rewrites

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary...

CVE-2026-29057 Next.js: HTTP request smuggling in rewrites

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary...

CVE-2026-29057

Summary of CVE-2026-29057 (Next.js) : A HTTP request smuggling flaw exists in Next.js when rewrites proxy traffic to an external backend. In affected versions (Starting in 9.5.0 and prior to 15.5.13 and 16.1.7), a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could cause a bound...

EUVD-2026-12704

Next.js: HTTP request smuggling in rewrites...

Next.js: HTTP request smuggling in rewrites

Summary When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could...

GHSA-GGV3-7P47-PFV8 Next.js: HTTP request smuggling in rewrites

Summary When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could...

PT-2026-25972

Name of the Vulnerable Software and Affected Versions Next.js versions 9.5.0 through 15.5.13 and 16.1.7 Description Next.js, a React framework, is affected by an issue where crafted DELETE/OPTIONS requests using Transfer-Encoding: chunked can cause request boundary disagreement between a proxy an...

OPENSUSE-RU-2026:20161-1 Recommended update for hauler

This update for hauler fixes the following issues: Changes in hauler: - Update to version 1.4.1 bsc1256546, CVE-2026-22772: fixed typos for containerd imports 493 fix and support containerd imports of hauls 492 bump github.com/sigstore/fulcio 489 - Update to version 1.4.0: added/updated logging f...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in Linux kernel that stems from btrfs partition skipping splits and logical rewrites, which could lead to null pointer dereferencing...

MAL-2025-183601 Malicious code in lomi-ifus-ugofaliuafu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e49351929bc0abd492df0ebdb9ee16dde5d3b752f4db0c65a89a129612179055 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-173257 Malicious code in buis-sunia-nudanif (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4b4c4547b5c0e03a80dd581fa0cf1c2ff5690339d3fa043140e73bc26a41e441 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in poglymer-ogaih-afgagi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1637202adfcc19982900f3392cb3e30f8d16523f585da41a0a67567e2330b93d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...