729094 matches found
CVE-2026-44644
CVE-2026-44644 affects liquidjs versions 10.25.7 and earlier. The strip_html filter uses a regex where the catch‑all branch () does not match line terminators, allowing a newline inside a tag (e.g., ) to bypass sanitization. If applications render attacker-controlled input via {{ x | strip_html }...
Malicious code in @array-util/nodepull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b @array-util/[email protected] ships a single 19 KB obfuscated index.js as its main entry. On require/import, the IIFE silences process error handlers vi...
MAL-2026-6084 Malicious code in @array-util/nodepull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b @array-util/[email protected] ships a single 19 KB obfuscated index.js as its main entry. On require/import, the IIFE silences process error handlers vi...
[slackware-security] openssl
New openssl packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/openssl-1.1.1zh-i586-1slack15.0.txz: Upgraded. Apply patch to fix the following security issues: Heap Buffer Over-read in ASN.1 Conte...
CVE-2026-50200 Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator...
CVE-2026-50200 Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator...
EUVD-2026-37811
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator...
CVE-2026-50200
The CVE affects Steeltoe’s Environment actuator sanitization for Steeltoe.Management.Endpoint <4.2.0 and Steeltoe.Management.EndpointCore <3.4.0. The Sanitizer uses a suffix-based key match list (default: password, secret, key, token, .credentials. , vcap_services) that does not cover Conne...
MAL-2026-6078 Malicious code in pino-slite (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb pino-slite impersonates the legitimate pino logger README titled 'pino-slite Pino' with badges and homepage pointing to getpino.io, exported function...
Malicious code in pino-slite (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb pino-slite impersonates the legitimate pino logger README titled 'pino-slite Pino' with badges and homepage pointing to getpino.io, exported function...
CVE-2026-54386 marimo < 0.23.9 XSS via file Query Parameter in assets.py
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
CVE-2026-54386 marimo < 0.23.9 XSS via file Query Parameter in assets.py
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
CVE-2026-54386
CVE-2026-54386 affects marimo prior to 0.23.9. A reflected XSS in the notebook page arises from improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string. An unauthenticated attacker can craft a link with a payload (notably starting with new ) that ...
DEBIAN-CVE-2026-48821
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting XSS vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted...
CVE-2026-48821
Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a DOM-based Cross-Site Scripting XSS vulnerability in the Thumbnail Synchronizer feature. When an administrator runs the thumbnail update process, malicious bookmark titles are returned via an AJAX response and inserted...
Exploit for Cross-site Scripting in Roundcube Webmail
CVE-2024-42009 — Roundcube Webmail 1.6.6 Stored XSS PoC F...
CVE-2026-48988 markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2 processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt, which performs On slicing and...
CVE-2026-48988 markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic On^2 processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt, which performs On slicing and...
Malicious code in boardflow (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86 On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and...
MAL-2026-6080 Malicious code in boardflow (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86 On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and...