MAL-2026-2298 Malicious code in hiveos-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6d040e58dddde324da836a19a41eb5c65698ef869ed3e534f662136f1fb48440 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

EUVD-2026-17046

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life EOL, are affected by the vulnerability as well...

CVE-2026-32979 OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval

OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve...

[SECURITY] Fedora 43 Update: uv-0.10.12-1.fc43

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

[SECURITY] Fedora 44 Update: uv-0.10.12-1.fc44

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

A Fleet team maintainer can transfer hosts from any team via missing source team authorization

Summary A broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute...

CVE-2026-34071

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a...

EUVD-2026-16608

ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the...

EUVD-2026-16553

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user...

CVE-2026-33559

WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the web page generation process. An attacker can execute arbitrary scripts in the context of a user's browser by supplying crafted input that is not properly neutralized. Details Cross-site scripting or XSS i...

EUVD-2026-16185

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution...

EUVD-2026-16183

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution...

EUVD-2025-209057

HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server...

CVE-2026-28297

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution...

CVE-2026-21788

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credential...

CVE-2026-32112

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute...

CVE-2026-32139

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as...

CVE-2026-27225

Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2026-28298 SolarWinds Observability Self-Hosted Stored Cross-Site Scripting Vulnerability

SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution...