727794 matches found
HP Poly Voice Unauthenticated Remote Code Execution
CVE-2026-0826 is a critical unauthenticated stack-based buffer overflow vulnerability affecting all models in the VVX series VVX 150, VVX 250, VVX 350, and VVX 450, as well as three models from the Trio IP Conference series Trio 8800, Trio 8500, and Trio 8300. A remote attacker can leverage...
CVE-2026-47846
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRAUSER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassand...
EUVD-2026-37932
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRAUSER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassand...
CVE-2026-47846
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRAUSER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassand...
CVE-2026-47846
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRAUSER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassand...
CVE-2026-47846
Bitnami Cassandra container images are affected by a retained default superuser vulnerability: when CASSANDRA_USER is customized, the init script creates a new superuser but may not drop the built-in cassandra account, leaving cassandra:cassandra active as an unintended access path. This can allo...
Malicious code in @httpactions/strict-uri-encode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b90fd30f5d52b139ea7be77aa1782a5339f39355ec7ad532af2fa7a49616ff88 @httpactions/strict-uri-encode impersonates the popular unscoped npm package 'strict-uri-encode' 30M weekly downloads by republishing the same name...
MAL-2026-6140 Malicious code in @httpactions/strict-uri-encode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b90fd30f5d52b139ea7be77aa1782a5339f39355ec7ad532af2fa7a49616ff88 @httpactions/strict-uri-encode impersonates the popular unscoped npm package 'strict-uri-encode' 30M weekly downloads by republishing the same name...
Malicious code in @httpactions/encode-url (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e The package ships a single heavily obfuscated index.js that performs no URL-encoding work despite the package name. On require of the declared main,...
MAL-2026-6139 Malicious code in @httpactions/encode-url (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e The package ships a single heavily obfuscated index.js that performs no URL-encoding work despite the package name. On require of the declared main,...
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL
Summary This advisory covers three distinct SQL Injection vulnerabilities within Budibase's database connectors PostgreSQL, Microsoft SQL Server, and MySQL. Because user-controlled schema and table configurations are interpolated directly into raw SQL queries without proper escaping or...
GHSA-QQF5-X7MJ-V43P budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL
Summary This advisory covers three distinct SQL Injection vulnerabilities within Budibase's database connectors PostgreSQL, Microsoft SQL Server, and MySQL. Because user-controlled schema and table configurations are interpolated directly into raw SQL queries without proper escaping or...
crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...
GHSA-HXPF-9XVQ-WPH8 netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...
Malicious code in randpicker (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6 When calling the Email function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits...
MAL-2026-6138 Malicious code in randpicker (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6 When calling the Email function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits...
Malicious code in @gbrlxvi/ts-project-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8 The package's main module index.js also loaded indirectly by bin/cli.js reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a...
MAL-2026-6121 Malicious code in @gbrlxvi/ts-project-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8 The package's main module index.js also loaded indirectly by bin/cli.js reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a...
Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin
On May 13th, 2026, we received a submission for a critical Unauthenticated Arbitrary File Deletion vulnerability in Avada Builder, a premium WordPress plugin with an estimated 1,000,000 active installations. This vulnerability makes it possible for unauthenticated attackers to delete arbitrary...