MAL-2026-4404 Malicious code in @loans/vehicles-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e2b702fc2de01ebe69a6d2baa4766782db91842f096c04b4b5d019105cd91b @loans/vehicles-api is a dependency-confusion package targeting an internal @loans npm scope claimed homepage docs.loans.io, README directs users to ...

Malicious code in wml-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46afe229d6efe1ef10d025302ed21e5c2c44bdd772c8fbb28d037cb1215c84ba [email protected] is a dependency-confusion package targeting an internal wml- namespace, published with an inflated version 99.0.1 to win npm resoluti...

MAL-2026-4731 Malicious code in wml-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46afe229d6efe1ef10d025302ed21e5c2c44bdd772c8fbb28d037cb1215c84ba [email protected] is a dependency-confusion package targeting an internal wml- namespace, published with an inflated version 99.0.1 to win npm resoluti...

EUVD-2018-21897

Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and acce...

MAL-2026-4587 Malicious code in intl-ads (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7e29be11c53c137c2a24258ae423cf422fefcaad06183d67aa5c895a8fe4801 On npm install, the package's scripts.preinstall runs poc.js which collects hostname, username, full network configuration ipconfig/ip a/resolv.conf,...

MAL-2026-4688 Malicious code in tempo-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839 On npm install, the preinstall script poc.js collects host identity hostname, username, OS/platform, network configuration ipconfig / ip a /...

Malicious code in tempo-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc05637e4f67c7a00ac3b790680f46174243df9c2740a161a029d4b266a79839 On npm install, the preinstall script poc.js collects host identity hostname, username, OS/platform, network configuration ipconfig / ip a /...

Malicious code in claude-channel-imessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...

EUVD-2026-31674

A vulnerability was found in Totolink A8000RU 7.1cu.643b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. The attack can be executed remotely. The...

EUVD-2026-31666

A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has...

Exploit for CVE-2026-38422

CVE-2026-38422: Remote Code Execution via Combined Buffer Over...

CVE-2026-9445 SourceCodester Simple POS and Inventory System File Extension addproduct.php unrestricted upload

A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible...

CVE-2026-9444

A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely...

CVE-2026-40016

A flaw was found in Dovecot. A remote or local attacker could upload a malicious Sieve script through the ManageSieve service, or locally, to bypass configured CPU time limits for Sieve scripts. This allows the attacker to consume excessive server resources, leading to a degradation of server...

EUVD-2026-31643

A vulnerability was detected in Totolink A8000RU 7.1cu.643b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of...

CVE-2026-9433 Totolink A8000RU Web Management cstecgi.cgi setMacFilterRules os command injection

A weakness has been identified in Totolink A8000RU 7.1cu.643b20200521. This issue affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument enable causes os command injection. The attack may be initiated...

EUVD-2026-31624

A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and m...

CVE-2026-6059

A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network...

CVE-2026-9414

A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/addorder.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customername results in cross sit...

Malicious code in pylogkt (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa1c9e5bf0ffd994f076a4a76395b5bcccd2716229439910912bd49aaf52f903 The package masquerades as a logging utility but every call to its logging API log.info/debug/etc triggers Logger.log, which on macOS hosts paths...