Malicious code in cheaty-sync-bot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4 cheaty-sync-bot ships a clipboard-sync CLI that hardcodes a single Telegram bot token index.js:10 owned by the package author. There is no...

How Parts Inventory Management Software Fixes Inventory Challenges

Why do maintenance teams struggle? Is it because they lack skills? Or do they need more advanced resources?…...

Pwn2Own Berlin 2026 Closes With $1.3 Million in Zero-Day Payouts

Cybersecurity researchers successfully demonstrated 47 unique zero-day exploits at Pwn2Own Berlin 2026, targeting major enterprise software and AI platforms...

0lever-utils (>=0.0.2 <=0.0.7), 2keys (=0.5.1) +5841 more potentially affected by CVE-2026-45409 via idna (>=2.0.0 <=3.14.0)

idna PYPI version =2.0.0, =0.0.2, =0.0.1a0, =0.0.2, =0.0.6, =0.1.0, =0.1.3, =0.0.3, =19.11.0, =0.2.0rc1, =1.1.0rc1 and more Source cves: CVE-2026-45409 Source advisory: OSV:GHSA-65PC-FJ4G-8RJX...

Advisory ROSA-SA-2026-3274

software: vim 9.2.0173 WASP: ROSA-CHROME unaffected versions = vim-9.2.0173-1 affected versions vim-9.2.0173-1 CVE-ID: CVE-2026-28417 BDU-ID: 2026-02589 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the vim text editor is related to failure to take measures to neutralize special elements...

Advisory ROSA-SA-2026-3272

software: harfbuzz 7.0.1 OS: ROSA-CHROME unaffected versions = harfbuzz-7.0.1-3 affected versions harfbuzz-7.0.1-3 CVE-ID: CVE-2026-22693 BDU-ID: None CVE-Crit: MEDIUM CVE-DESC.: A null pointer dereferencing vulnerability in HarfBuzz is related to a lack of validation of the hbmalloc return value...

CVE-2026-47315

Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3...

Missing Authorization

Overview glpi/glpi is a free Asset and IT Management Software package with ITIL Service Desk, licenses tracking and software auditing. Affected versions of this package are vulnerable to Missing Authorization in the export process. An attacker can gain access to the structure of forms they are no...

UBUNTU-CVE-2026-32312

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7...

PT-2026-41946

Name of the Vulnerable Software and Affected Versions hitarth-gg Zenshin versions prior to 2.7.0 Description An OS command injection flaw exists in the '/stream-to-vlc' Express route. This allows remote attackers to execute arbitrary commands on the host operating system by manipulating the url...

SCARA: A Semantics-Constrained Autonomous Remediation Agent for Opaque Industrial Software Vulnerabilities

Critical-infrastructure operators are increasingly expected to assess and remediate vulnerabilities in deployed industrial software. However, much of this software exists as opaque industrial software OIS, including stripped firmware, proprietary protocol handlers, and compiled control logic...

ALSA-2026:18480 Important: linux-sgx security update

The Intel SGX SDK is a collection of APIs, libraries, documentations and tools that allow software developers to create and debug Intel SGX enabled applications in C/C++. Security Fixes: qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-15284 node-tar: tar: node-ta...

CVE-2026-34883

An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily07Feb11.edr t...

Malicious code in @antv/x6-plugin-clipboard (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

CVE-2026-32312

CVE-2026-32312 (GLPI) affects GLPI 11.0.0 through 11.0.6. An authenticated user with forms READ permission could export the structure of unauthorized forms, exposing form configuration. The issue is fixed in version 11.0.7. According to the CVE records, the vulnerability has a CVSS v4.0 base scor...

@antv/ava (=3.6.0-alpha.0), @antv/gpt-vis (>=0.0.1 <=0.6.1) +31 more potentially affected by unknown CVE via @antv/l7-draw (=3.1.5)

@antv/l7-draw NPM version =3.1.5 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/l7-draw and may be impacted: - @antv/ava =3.6.0-alpha.0 - @antv/gpt-vis =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.9.9, =0.1.1, =1.0.0, =1.0.2, =1.0.2, =0.0.1, =0.0.1, =0.0....

ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.

An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options...

ImageMagick: Stack overflow in fx operation

Due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument...

Infinite loop

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

MGASA-2026-0147 Updated rclone packages fix security vulnerabilities

This update bring new features, bugs and vulnerabilities fixed in rclone and golang components used to build it...