CVE-2026-41686

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes...

EUVD-2014-0684

Malware in sbrugna...

EUVD-2017-0228

Malware in sbrugna...

EUVD-2012-4659

Malware in sbrugna...

EUVD-2017-5418

Malware in sbrugna...

EUVD-2023-42405

Malicious code in bioql PyPI...

EUVD-2022-4176

Malicious code in bioql PyPI...

EUVD-2022-3088

Malicious code in bioql PyPI...

CVE-2023-29051

User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users...

CVE-2019-8564

A logic issue was addressed with improved validation. This issue is fixed in macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra. An attacker in a privileged network position can modify driver state...

CVE-2025-48018 Deserialization of Untrusted Data

An authenticated user can modify application state data...

CVE-2025-48018 Deserialization of Untrusted Data

An authenticated user can modify application state data...

Unauthorized State Modification

reflex is vulnerable to Unauthorized State Modification. The vulnerability is due to improper access control and event handler, including private and non-client-side fields, that allows an attacker to modify arbitrary state fields, including private ones, if their names are guessed...

CVE-2024-5452

A remote code execution RCE vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the deepdiff library. The library uses deepdiff.Delta objects to modify application state base...

CVE-2023-29051

User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users...

rsETH can return incorrect price because of future EigenLayer strategies

Lines of code Vulnerability details Impact How currently rsETH price is calculated? totalEthLocked is divided by rsETH supply. How totalEthLocked is calculated? It sums 3 amounts per every asset: 1 balance of LRTDepositPool.sol, 2 balance of all node delegators, 3 already deposited amount of asse...

CVE-2023-40015 Vyper: reversed order of side effects for some operations

Vyper is a Pythonic Smart Contract Language. For the following probably non-exhaustive list of expressions, the compiler evaluates the arguments from right to left instead of left to right. unsafeadd, unsafesub, unsafemul, unsafediv, powmod256, |, &, ^ bitwise operators, bitwiseor deprecated,...

CVE-2023-38606

This issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to modify sensitive kernel state. Apple is aware of a...

Using controlled delegatecall could in calling _deployTokenManager.tokenManagerDeploy()

Lines of code Vulnerability details Impact The use of delegatecall in this context poses a security risk. When using delegatecall, the called contract's code is executed within the context of the calling contract. This means that the deployTokenManager function is executed as if it is part of the...

Using controlled delegatecall, to call InterchainTokenService._deployStandardizedToken contract instead of call()

Lines of code Vulnerability details Impact When using delegatecall, the called contract's code is executed within the context of the calling contract. This means that the deployStandardizedToken function is executed as if it is part of the current contract, and it can potentially modify the state...