277 matches found
PYSEC-2026-260 Aim Web API vulnerable to Remote Code Execution
A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions = 3.0.0. The vulnerability resides in the runsearchapi function of the aim/web/api/runs/views.py file, where improper restricti...
MAL-2026-6513 Malicious code in dtxto1ols (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991 package.json declares a postinstall script that runs automatically on npm install. The script performs filesystem reconnaissance find / -type f...
Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fixed an infinite loop in attrloadrunsrange when there are inconsistencies in metadata. We have identified a bug in the ntfs3 file system where a malformed NTFS image can cause an infinite loop. This occurs when an...
Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add null pointer check to attrloadrunsvcn Some metadata files are handled before MFT. This adds a null pointer check for some corner cases that could lead to NPD while reading these metadata files for a malformed NTFS...
Malicious code in dispatch-internal-plugins (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5993e79eab55ecc24ada6a4bce88f580c958499d51d0d7472e74aad904648964 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in fastgptmini (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4da10d62527ca4b69f4458b6a01c77f01af42c5a1631d5cc6f207070d1ade20d setup.py fetches an opaque file from https://tmpfiles.org/dl/wJwhUXDhUK6M/zvgfsj.txt an anonymous, throwaway file-sharing host during pip install,...
MAL-2026-5620 Malicious code in telebot-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3c49bb558149b55f90b708ff47e24f6f856a88abb4b2ed477633c3df43d4e2 The package advertises itself as a configurable Telegram bot server README and.env.example reference TELEGRAMBOTTOKEN and ALLOWEDUSERIDS, but the cod...
Malicious code in icinga (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real...
CVE-2026-7439
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...
CVE-2026-4055
Mattermost versions 11.5.x = 11.5.1 fail to validate team-level runcreate permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request...
CVE-2026-7466
AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipelinepath parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to...
BIT-AIRFLOW-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...
EUVD-2026-34165
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately...
PT-2026-45951
Name of the Vulnerable Software and Affected Versions Python affected versions not specified Description The unicodedata.normalize function can consume excessive CPU time when processing specially crafted Unicode input. This occurs when the input contains long sequences of combining characters wi...
CVE-2026-41014
The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization. The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run...
CVE-2026-41014
The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...
PYSEC-0000-CVE-2026-41014
The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...
PYSEC-2026-182
The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...
PYSEC-2026-182
The partitioneddagruns endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to...