Malicious code in rowrap (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 606ce541a3ef4a98e4e1639e96c6431e7ec83be6f987c640a63c03991eae4f6e The package hides code to download and start malicious script containing malware, identified as adware. The triggering method seems to be PTH file, although it...

Weak Authentication

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Weak Authentication in the user sign up. An attacker can create authenticated sessions without providing valid credentials b...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the POST /classes/Session endpoint. An...

GHSA-5V7G-9H8F-8PGG Parse Server session creation endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...

Parse Server session creation endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...

PT-2026-25982

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/...

Malicious code in color-list (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 86ffbba2d1825f76d4c2baa6a8b7ecbe85514239934a3d7903745d17d4baf704 Malicious code hidden in the color-list package uses the presence of pretty-tabulate as a trigger to load code hidden in likely a third malicious package...

CVE-2026-29521 Hereta ETH-IMC408M CSRF via Configuration Setup

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using...

EUVD-2026-12171

A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file...

CVE-2026-3227

A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file...

SAMSUNG Secure Folder 安全漏洞

Samsung Secure Folder is a privacy protection software developed by South Korea’s Samsung Corporation. Versions of Samsung Secure Folder prior to the SMR Mar-2026 Release 1 had security vulnerabilities. These vulnerabilities stemmed from improper export of Android application components, which...

CVE-2026-32724

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available function. The issue is caused by a race condition between the MAVLink receiver thread which handles shell creation/destruction and the telemetry sender thre...

CVE-2026-32724

The CVE-2026-32724 vulnerability affects PX4 Autopilot: a heap-use-after-free in MavlinkShell::available() caused by a race between the MAVLink receiver thread (shell creation/destruction) and the telemetry sender thread (polling output). It is triggerable remotely via MAVLink SERIAL_CONTROL mess...

PT-2026-25392

A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command. In the router configuration import function allows an authenticated attacker to upload a crafted configuration file...

Parse Server has a protected fields bypass via logical query operators

Impact The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server...

EUVD-2026-10548

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is...

GHSA-Q342-9W2P-57FP Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Impact The file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any...

Improper Control of Dynamically-Managed Code Resources

Overview apache-airflow-providers-http is a Provider package apache-airflow-providers-http for Apache Airflow Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the HttpTrigger’s pickle-based serialization in the deferred HTTP task...

CVE-2026-30850

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...