PT-2026-39410

Name of the Vulnerable Software and Affected Versions Next.js versions 10.0.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description When self-hosting with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size...

PT-2026-39412

Name of the Vulnerable Software and Affected Versions Next.js versions 13.0.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description Applications using beforeInteractive scripts combined with untrusted content are susceptible to cross-site scripting XSS, a flaw where malicious scripts...

PT-2026-39409

Name of the Vulnerable Software and Affected Versions Next.js versions 15.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description App Router applications using middleware or proxy-based authorization checks may allow unauthorized access via transport-specific route variants used fo...

Malicious code in paypal-payouts-bridge (npm)

Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values e.g. 99.9.x, 100.1.x to win npm resolution against private internal packages. All packages...

MAL-2026-2961 Malicious code in apple-internal-security-poc-frank (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10f171ab8af350f288bde3dca0a4c5741b840ed376b0022602322fd7b8b6341f The package apple-internal-security-poc-frank was found to contain malicious code. Source: ghsa-malware...

exploit-poc

Node.js Web Server Exploit PoC Node.js 웹서버에서 발생할 수 있는 보안 취약점...

Olevmedia Shortcodes <= 1.1.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC button style='"...

U.S. Dept Of Defense: Sensitive Data Exposure at https://█████████

Sensitive data exposure was discovered in an endpoint of a website, which contained AWS S3 credentials, PATH, IP, and PORTs. This could have allowed an attacker to gain access to sensitive information on the AWS account or perform arbitrary modifications on the AWS resources...

MAL-2022-5995 Malicious code in security-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 43c2fd7d3d460971c10e4ccff14c1417dfed5d21cc0db92939e491a4a58c4616 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS

The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. Vulnerable parameters: &ytnetw=, &ytnetwspan=, &ytfeedbacknetw=...

Openscrutin 1.03 Remote / Local File Inclusion

============================================================== Openscrutin 1.03 RFI/LFI Multiple File Include Vulnerability ============================================================== + Openscrutin 1.03 RFI/LFI Multiple File Include Vulnerability...

imageshack-poc.txt

suntzu.BuildSlideShow "file:///c:\xpwallpaperglass.jpg","Big",1,"uhuhinterestingprivatethings","Fade","White" suntzu.BuildSlideShow "file:///c:\boot.ini", "Big",1,"uhuhinterestingpriv...