MAL-2026-1505 Malicious code in transform-jscript (npm)

The package 'transform-jscript' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

MAL-2026-1564 Malicious code in transform-es2015-spread (npm)

The package 'transform-es2015-spread' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Malicious Package

Overview transform-member-expression-literals is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it...

Malicious Package

Overview transform-dynamic-import is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

Malicious Package

Overview transform-modules-systemjs is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavi...

Malicious Package

Overview transform-for-of is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...

Malicious Package

Overview transform-function-bind is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

CVE-2026-30982

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CIccPcsXform::pushXYZConvert causing crash and potentially leaking memory contents. This vulnerability is fixed in 2.3.1.5...

CVE-2026-30978 Heap-use-after-free in CIccCmm::AddXform()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5...

Exploit for Code Injection in Craftcms Craft_Cms

CVE-Public - Vulnerability Proof-of-Concept Script Library...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-053 (ALASFIREFOX-2026-053)

The version of firefox installed on the remote host is prior to 140.7.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2026-053 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. Th...

Amazon Linux 2023 : jxl-pixbuf-loader, libjxl, libjxl-devel (ALAS2023-2026-1459)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1459 advisory. A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized but allocated memory. This can be done by causing the decoder to reference an outside-image-bound area...

CVE-2026-28393

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings.transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration...

CVE-2026-28393

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings.transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration...

CVE-2026-28393 OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings.transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration...

CVE-2026-28393

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings.transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration...

CVE-2026-28393

OpenClaw 2.0.0-beta3 prior to 2026.2.14 contains a path traversal vulnerability in the hook transform module loading. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, allowing attackers with configuration write access to load and execute malicious mo...

EUVD-2026-9893

OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings.transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration...

📄 dottie 2.0.6 Prototype Pollution Bypass

CVE-2026-27837 describes an incomplete patch in dottie versions 2.0.4 through 2.0.6, following the original CVE-2023-26132 fix attempt. The protection added in commit 7d3aee1 validates only the first segment of a dot-separated property path against dangerous keys such as proto. However, the...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw from 2.0.0-beta3 up to 2026.2.14 contained code vulnerabilities. These vulnerabilities stemmed from path traversal issues during the loading of the hook transform module, which could allow execution of arbitrary...