Dahua IPC/VTH/VTO - Authentication Bypass

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. id: CVE-2021-33045 info: name: Dahua IPC/VTH/VTO - Authentication Bypass author: phantomowl severity:...

MOVEit Transfer - Remote Code Execution

In Progress MOVEit Transfer before 2021.0.6 13.0.6, 2021.1.4 13.1.4, 2022.0.4 14.0.4, 2022.1.5 14.1.5, and 2023.0.1 15.0.1, a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database...

Gitea 1.1.0 - 1.12.5 - Remote Code Execution

Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the...

ASB-A-350456241

In multiple locations, there is a possible way to reveal images across users due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

Malicious code in ota_web_admin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2724185590a9671481ff3ac84c4046cb7b1841b78c7872660ff5ddf32fc21309 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

LogicEval: A Systematic Framework for Evaluating Automated Repair Techniques for Logical Vulnerabilities in Real-World Software

Logical vulnerabilities in software stem from flaws in program logic rather than memory safety, which can lead to critical security failures. Although existing automated program repair techniques primarily focus on repairing memory corruption vulnerabilities, they struggle with logical...

HCL DevOps Velocity 安全漏洞

HCL DevOps Velocity is a pipeline orchestration and management tool used by HCL Company in India. Versions of HCL DevOps Velocity prior to 5.1.7 contained security vulnerabilities. These vulnerabilities were due to improper implementation of rate-limiting mechanisms for login attempts, which coul...

Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems

Artificial Intelligence AI company Anthropic announced a new cybersecurity initiative called Project Glasswing that will use a preview version of its new frontier model, Claude Mythos , to find and address security vulnerabilities. The model will be used by a small set of organizations, including...

Vulnerability Abundance: A Formal Proof of Infinite Vulnerabilities in Code

We present a constructive proof that a single C program, the Vulnerability Factory, admits a countably infinite set of distinct, independently CVE-assignable software vulnerabilities. We formalise the argument using elementary set theory, verify it against MITRE's CVE Numbering Authority counting...

Strengthening secure software at global scale: How MSRC is evolving with AI

Cybersecurity has always been a race between defenders and attackers, constrained by human time, attention, and scale. What is changing now is the level of capability available to apply security fundamentals with far greater reach and speed...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +12 more potentially affected by CVE-2026-41302 via openclaw (>=2026.3.22 <=2026.3.28)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-41302 Source advisory: SNYK:JS-OPENCLAW-15901925...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +10 more potentially affected by CVE-2026-35628 via openclaw (>=2026.3.22 <=2026.3.24)

openclaw NPM version =2026.3.22, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 Source cves: CVE-2026-35628 Source advisory: SNYK:JS-OPENCLAW-15797940...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1925 more potentially affected by CVE-2026-33151 via socket.io-parser (>=4.0.1-rc1 <=4.2.5)

socket.io-parser NPM version =4.0.1-rc1, =1.0.49, =1.0.0, =0.0.28, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =0.0.9 and more Source cves: CVE-2026-33151 Source advisory: OSV:GHSA-677M-J7P3-52F9...

Malicious code in adobe_pipeline_test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7e438937c9c04fd06645a505f5bd509ee3c1fa942be02cefa881023f849b781 The package adobepipelinetest was found to contain malicious code...

GHSA-RW66-G8V8-WCWH vulnerabilities

Vulnerabilities for packages: chromium...

Secure-Programming-and-Exploiting-Vulnerabilities

Secure-P...

Malicious code in translation-note (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e07633850d68301541c30e7f731a444071e400f71083928dca6418a9a59c769a The package translation-note was found to contain malicious code. Source: ghsa-malware 95cfe5df95e94bc56327c2241fd1d850ee8bae580cdecfae84ee6f81f09150...

DEBIAN-CVE-2025-62291

In the eap-mschapv2 plugin client-side in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow...

Malicious code in vue_frontend_rpc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37b3b39f0c20a8dd65bccdba671ecc5761e03146f454226847e982c424b8c25b The package vuefrontendrpc was found to contain malicious code. Source: ghsa-malware 30e31020ae5911a45b568d33238a4785bb2149dc1a8b474ac220aacb60546551...

CVE-2023-45055

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in InspireUI MStore API allows SQL Injection.This issue affects MStore API: from n/a through 4.0.6...