729435 matches found
CVE-2026-9860 Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...
CVE-2026-9860
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...
EUVD-2026-37840
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...
CVE-2026-9860
The CVE-2026-9860 entry concerns the WordPress plugin “Offload, AI & Optimize with Cloudflare Images” (versions
From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet
In this article 1. Attack chain overview 1. Discovery and initial indicators 2. Dependency injection: the poisoned package.json 3. Typosquat analysis: easy-day-js 4. Staged delivery pattern 5. Obfuscation and payload analysis 6. TLS bypass to self-deletion 7. Timeline analysis 2. Who is Sapphire...
binary-exploitation-writeup
Binary Exploitation — Buffer Overflow & Format String Attack...
Malicious code in string-tools-be6c (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c725b56cc7e80c178e8d0fca3eceb069e811b979427b6ec99deab6b6f6cab8f7 Package ships a postinstall lifecycle hook node run.js that runs automatically on npm install. The executed script imports os, https, http, and...
MAL-2026-6100 Malicious code in string-tools-be6c (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c725b56cc7e80c178e8d0fca3eceb069e811b979427b6ec99deab6b6f6cab8f7 Package ships a postinstall lifecycle hook node run.js that runs automatically on npm install. The executed script imports os, https, http, and...
Malicious Package
Overview string-tools-be6c is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
EUVD-2026-37809
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
GHSA-8M59-7XV8-735H marimo contains a reflected cross-site scripting vulnerability in the notebook page
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
marimo contains a reflected cross-site scripting vulnerability in the notebook page
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
Credential Exposure
Overview Affected versions of this package are vulnerable to Credential Exposure due to an incorrect transformation string in the encryption configuration process. An attacker can compromise the confidentiality of encrypted data by exploiting the unintended use of weaker padding when OAEP is...
Cleartext Transmission of Sensitive Information
Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information in the Sanitizer function of the Environment actuator, which fails to redact sensitive information from configuration keys matching standard .NET patterns such as ConnectionStrings: or...
Cleartext Transmission of Sensitive Information
Overview Steeltoe.Management.Endpoint is a package that provides building blocks for development of .NET applications that integrate with Spring and Spring Boot environments, as well as Cloud Foundry and Kubernetes with first-party support for Tanzu. Affected versions of this package are vulnerab...
CVE-2026-48764
TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing for DNS rebinding bypass. The root cause is a time-of-check to time-of-use gap in the SSRF guard...
PT-2026-50646
Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to stored Cross-Site Scripting in the Personal File Storage PFS module. A folder title pff title is imported with the 'TXT' filter, which does not strip or encode HTML the tag check in cot import is disabled, so an authenticated user can...
D-Link DSL2600U Rule-Based IoT Intrusion Detection System
This is a IoT attack detection script that monitors HTTP request behavior to identify potentially malicious activity against devices such as routers or embedded systems...
PT-2026-50825
Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery SSRF vulnerability in three administrative endpoints used for remote Signal K server connection management. The makeRemoteRequest function accepts attacker-controlled host, port, useTLS, and...
PT-2026-50721
TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link or email link. This link target would then be clickable by the user who entered it. A successful attack commonly requires knowledge of the...