CVE-2026-10796 nvm executes commands from a malicious Node.js mirror's version strings

nvm Node Version Manager through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as nvm install read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs...

Mongo-Express - Remote Code Execution

Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...

PT-2026-42752

This release brings a built-in Markdown editor, with both visual and source modes, plus support for tables, task lists, images, code blocks, file locking, and unsaved-change protection. It also adds optional trash retention, storage quota synchronization via LDAP/OIDC, improved file editing and...

Astra Linux - уязвимость в ghostscript

A issue was discovered in Artifex Ghostscript prior to version 10.03.1. In the file psi/zmisc1.c, when SAFER mode is used, it allows the use of eexec seeds that deviate from the Type 1 standard...

Astra Linux - уязвимость в ghostscript

In Artifex Ghostscript version 10.01.2, the gdevijs.c file in GhostPDL can lead to remote code execution through crafted PostScript documents. This occurs because the IJS device can be switched, or the IjsServer parameter can be changed, after SAFER has been activated. NOTE: It is a documented ri...

YARA-X 1.16.0

YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware...

CLSA-2026-1777946242 php: Fix of 13 CVEs

CVE-2018-14883: fix int overflow leading to heap overflow in exifthumbnailextract - CVE-2019-6977: fix imagecolormatch out-of-bounds write on heap in GD - CVE-2019-9022: fix memcpy with negative length via crafted DNS response - CVE-2019-9640: fix invalid read in exifprocessSOFn - CVE-2019-11042:...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: dev/parport: Fixed the array out-of-bounds issue caused by sprintf. The issue was addressed by replacing sprintf with snprintf, resulting in safer data copying and ensuring that the destination buffer is not overflowed. Below ...

Astra Linux - уязвимость в linux, linux-5.15, linux-6.1, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: tls: Separating the handling of no-async decryption requests from async. If we are not using async, the handling is much simpler. There is no reference counting; we simply need to wait for the completion to wake us up and return...

CVE-2026-33620

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

YARA-X 1.13.0

YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware...

YARA-X 1.12.0

YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware...

MiracleLinux 4 : ghostscript-8.70-23.AXS4.2 (AXSA:2017-1651:03)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2017-1651:03 advisory. Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures the Ghostscript library, which implements the graphics...

MiracleLinux 7 : ghostscript-9.25-2.el7.3 (AXSA:2019-4385:04)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-4385:04 advisory. ghostscript: -dSAFER escape in .charkeys 701841 CVE-2019-14869 Tenable has extracted the preceding description block directly from the MiracleLinux security...

MiracleLinux 7 : ghostscript-9.25-2.el7.2 (AXSA:2019-4296:03)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2019-4296:03 advisory. ghostscript: Safer mode bypass by .forceput exposure in .pdfhookDSCCreator 701445 CVE-2019-14811 ghostscript: Safer mode bypass by .forceput exposur...

MiracleLinux 7 : ghostscript-9.07-31.el7.10 (AXSA:2019-3795:02)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2019-3795:02 advisory. Security Fix - Ghostscript superexec PostScript -dSAFER CVE-2019-3835 - GhostscriptDefineResource forceput PostScript -dSAFER CVE-2019-3838...

MiracleLinux 4 : ghostscript-8.70-24.AXS4.2 (AXSA:2018-3430:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2018-3430:01 advisory. It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER...

YARA-X 1.11.0

YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware...

GHSA-55JH-84JV-8MX8 Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule

Impact The APIVersion rule uses new Function to evaluate expression strings. A malicious crafted flow metadata file can cause arbitrary JavaScript execution during scanning. An attacker could execute arbitrary JavaScript during a scan by supplying a malicious expression within rule configuration ...

Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Impact MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause...