@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41673 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41673 Source advisory:...

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41674 Source advisory:...

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41675 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41675 Source advisory:...

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41675 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41675 Source advisory:...

Malicious code in roku-aihub (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 19b48d460fde1b6b9802a2f2b7d93928f89b0474235adc54553971ed4575e5df Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious Package

Overview purchases-roku is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2025-48754 Malicious code in purchases-roku (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c429e2a2e9aa0a6cda588f67e61e21c1830f469ed3a4b29f17845326869ba2be Any computer that has this package installed or running should be considered...

Malicious code in purchases-roku (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c429e2a2e9aa0a6cda588f67e61e21c1830f469ed3a4b29f17845326869ba2be Any computer that has this package installed or running should be considered...

A week in security (October 13 &#8211; October 19)

Last week on Malwarebytes Labs: Prosper data breach puts 17 million people at risk of identity theft Under the engineering hood: Why Malwarebytes chose WordPress as its CMS Video call app Huddle01 exposed 600K+ user logs Mango discloses data breach at third-party provider Roku accused of selling...

Roku accused of selling children’s data to advertisers and brokers

The state of Florida has accused Roku, which powers many smart TVs and streaming devices, of selling children's data to third parties without their consent. According to the Florida Attorney General James Uthmeier, Roku collected viewing habits, voice recordings, and precise geolocation from kids...

EUVD-2018-3353

Malware in sbrugna...

EUVD-2022-31689

Malicious code in bioql PyPI...

EUVD-2023-58564

Malicious code in bioql PyPI...

CVE-2022-27152

Roku devices running RokuOS v9.4.0 build 4200 or earlier that uses a Realtek WiFi chip is vulnerable to Arbitrary file modification...

MAL-2025-2080 Malicious code in @roku-web-ui/legacy-nav-page-standard-wrapper (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c0fda134ffeb40092f3455e93def754a1f268e9e072daf6c275e9c40b35b1917 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2023-6322

A stack-based buffer overflow vulnerability exists in the message parsing functionality of the Roku Indoor Camera SE version 3.0.2.4679 and Wyze Cam v3 version 4.36.11.5859. A specially crafted message can lead to stack-based buffer overflow. An attacker can make authenticated requests to trigger...

CVE-2023-6322

A stack-based buffer overflow vulnerability exists in the message parsing functionality of the Roku Indoor Camera SE version 3.0.2.4679 and Wyze Cam v3 version 4.36.11.5859. A specially crafted message can lead to stack-based buffer overflow. An attacker can make authenticated requests to trigger...

CVE-2023-6322 Stack-based buffer overflow in message parser functionality

A stack-based buffer overflow vulnerability exists in the message parsing functionality of the Roku Indoor Camera SE version 3.0.2.4679 and Wyze Cam v3 version 4.36.11.5859. A specially crafted message can lead to stack-based buffer overflow. An attacker can make authenticated requests to trigger...

CVE-2023-6322

CVE-2023-6322 affects the Roku Indoor Camera SE (v3.0.2.4679) and Wyze Cam v3 (v4.36.11.5859). The root cause is a stack-based buffer overflow in the message parsing functionality . An attacker who can make authenticated requests can trigger the overflow, potentially leading to impact on confiden...

CVE-2023-6322 Stack-based buffer overflow in message parser functionality

A stack-based buffer overflow vulnerability exists in the message parsing functionality of the Roku Indoor Camera SE version 3.0.2.4679 and Wyze Cam v3 version 4.36.11.5859. A specially crafted message can lead to stack-based buffer overflow. An attacker can make authenticated requests to trigger...