9 matches found
CVE-2026-24131
A flaw was found in pnpm, a package manager. When pnpm processes the directories.bin field of a package, it fails to properly validate the path, allowing a malicious npm package to specify a crafted path. This directory traversal vulnerability enables the package to escape its intended directory...
What Should We Learn From How Attackers Leveraged AI in 2025?
Old Playbook, New Scale:While defenders are chasing trends, attackers are optimizing the basics The security industry loves talking about "new" threats. AI-powered attacks. Quantum-resistant encryption. Zero-trust architectures. But looking around, it seems like the most effective attacks in 2025...
Shai Hulud 2.0, now with a wiper flavor
In September, a new breed of malware distributed via compromised Node Package Manager npm packages made headlines. It was dubbed "Shai-Hulud", and we published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malwa...
GHSA-53WX-PR6Q-M3J5 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...
CVE-2025-46762 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...
PT-2022-28163 · Apache · Maven Enforcer Plugin
Name of the Vulnerable Software and Affected Versions: Artemis Java Test Sandbox versions prior to 1.8.0 Description: The issue allows an attacker to escape the sandbox by including class files in a package that Ares trusts, enabling the execution of arbitrary Java code when a victim runs the...
CVE-2011-2515
PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code...
CVE-2011-2515
PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code...
CVE-2011-2515
PackageKit 0.6.17 is vulnerable to an issue where unsigned RPM packages are treated as signed, allowing installation of non-trusted packages and potential arbitrary code execution. Affected component: PackageKit 0.6.17. Root cause: unsigned RPMs accepted as signed, enabling local privilege or cod...