GHSA-GV8P-48FR-4FXG Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses the...

CVE-2026-30796

CVE-2026-30796 affects RustDesk Server Pro (rustdesk-server-pro) on Windows, macOS, and Linux. The vulnerability lies in cleartext transmission within the Address Book Sync/Heartbeat API path, where the Heartbeat API handler accepts a preset address-book password in plaintext. Consequence: potent...

CVE-2026-27638

Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budge...

SUSE CVE-2025-38040

In the Linux kernel, the following vulnerability has been resolved: serial: mctrlgpio: split disablems into sync and nosync APIs The following splat has been observed on a SAMA5D27 platform using atmelserial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 inatomic: ...

CVE-2025-38040

CVE-2025-38040 affects the Linux kernel’s serial/mctrl_gpio path. The advisory reports a fix for a denial of service/privilege implications by splitting the disabling of modem lines (disable_ms) into two APIs: sync and no_sync, addressing a sleeping function being called from an atomic context (d...

Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems

Malicious npm packages found with hidden endpoints that wipe systems on command. Devs warned to check dependencies for express-api-sync, system-health-sync-api...

Malicious code in system-health-sync-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 13c337e149bd36fcd54891e550bf7fdb7c1dc36b1bfc1b06e0b1427851d4adde Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4695 Malicious code in system-health-sync-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 13c337e149bd36fcd54891e550bf7fdb7c1dc36b1bfc1b06e0b1427851d4adde Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1256 Malicious code in pnpm-sync-api-tests (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7ff8a3208b0a7303df5e44ee0ec9bcc028b58bffe1fdabfbea89ab56a78cf841 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2014-3176

Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...

CVE-2014-3176

Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...

Code injection

Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...

CVE-2014-3177

Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3176...

CVE-2014-3176

Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...

CVE-2014-3176

Removed by vendor...

Google Chrome < 37.0.2062.94 Multiple Vulnerabilities (Mac OS X)

The version of Google Chrome installed on the remote Mac OS X host is a version prior to 37.0.2062.94. It is, therefore, affected by the following vulnerabilities : - Blink contains a use-after-free vulnerability in its SVG implementation. By using a specially crafted web page, a remote attacker...