155 matches found
Unity Linux 20.1070a Security Update: gnome-shell (UTSA-2026-005908)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005908 advisory. In GNOME Shell through 45.7, a portal helper can be launched automatically without user confirmation based on network responses provided by an adversary e.g., an...
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE
Summary OneUptime lets project members write custom JavaScript that runs inside monitors. The problem is it executes that code using Node.js's built-in vm module, which Node.js itself documents as "not a security mechanism — do not use it to run untrusted code." The classic one-liner escape gives...
MiracleLinux 7 : gnome-shell-3.28.3-34.0.2.el7.AXS7 (AXSA:2025-9565:01)
The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-9565:01 advisory. CVE-2024-36472: fix portal helper from launching automatically based on network responses to prevent loading untrusted JavaScript code CVEs: CVE-2024-36472 I...
CVE-2023-25933
A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, mos...
CVE-2022-35289
A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of...
Prototype Pollution
happy-dom is vulnerable to Prototype Pollution. The vulnerability is due to untrusted JavaScript running in the same isolate as the main application despite the --disallow-code-generation-from-strings flag, which allows an attacker to deploy prototype-pollution payloads to hijack critical...
GHSA-QPM2-6CQ5-7PQ5 happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. Details The untrusted script and the rest of the application still run in the same Isolate/process, s...
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. Details The untrusted script and the rest of the application still run in the same Isolate/process, s...
EUVD-2025-34678
happy-dom's --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript...
CVE-2025-62410
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...
CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...
CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...
CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...
CVE-2025-62410
CVE-2025-62410 affects happy-dom prior to version 20.0.2, where the --disallow-code-generation-from-strings mitigation does not fully isolate untrusted JavaScript. The untrusted script and the rest of the application run in the same Isolate/process, allowing prototype-pollution payloads to hijack...
CVE-2025-61927
CVE-2025-61927 affects Happy DOM v19 and earlier, where the Node.js VM Context is not isolated and untrusted JavaScript executed inside the Happy DOM VM can escape to access process-level functionality. Depending on module system (ESM vs CommonJS), attackers may obtain access to powerful objects ...
EUVD-2018-0212
Malware in sbrugna...
EUVD-2020-12722
Malware in sbrugna...
EUVD-2020-18835
Malware in sbrugna...
EUVD-2022-38179
Malicious code in bioql PyPI...
EUVD-2022-53431
Malicious code in bioql PyPI...