182 matches found
PT-2026-6858
Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints,...
GHSA-VHW5-3G5M-8GGF Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org, modelcontextprotocol.io, this could have enabled attackers to register domains like...
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org, modelcontextprotocol.io, this could have enabled attackers to register domains like...
PT-2026-6464
Due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a...
GHSA-JH7P-QR78-84P7 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPICBASEURL...
CVE-2023-50926
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be caused by an incoming DIO message when using the RPL-Lite implementation in the Contiki-NG operating system. More specifically, the prefix information of the DIO message...
PT-2026-1287
Name of the Vulnerable Software and Affected Versions Centreon Infra Monitoring versions 25.10.0 through 25.10.0 Centreon Infra Monitoring versions 24.10.0 through 24.10.3 Centreon Infra Monitoring versions 24.04.0 through 24.04.7 Description The software contains an Improper Neutralization of...
PT-2025-53614
Name of the Vulnerable Software and Affected Versions Eigent version 0.0.60 Description Eigent is a multi-agent Workforce platform. A 1-click Remote Code Execution RCE issue exists in version 0.0.60, allowing an attacker to execute arbitrary code on a victim’s machine or server through a specific...
PT-2025-52770
Name of the Vulnerable Software and Affected Versions Linksys E5600 version 1.1.0.26 Description The Linksys E5600 router firmware version 1.1.0.26 contains a command injection issue in the runtime.macClone function. The issue is triggered via the mc.ip parameter. Recommendations Update to a newe...
PT-2025-52744
Name of the Vulnerable Software and Affected Versions Product Delivery Date for WooCommerce – Lite versions through 2.7.0 Description A security issue exists in Tyche softwares Product Delivery Date for WooCommerce – Lite. The description does not provide specific details about the nature of the...
GHSA-7MV8-J34Q-VP7Q @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the...
PT-2025-46290
Name of the Vulnerable Software and Affected Versions GitHub Gist Shortcode Plugin for WordPress versions through 0.2 Description The GitHub Gist Shortcode Plugin for WordPress is susceptible to Stored Cross-Site Scripting through the id parameter of the 'gist' shortcode. Insufficient input...
PT-2025-45509
Name of the Vulnerable Software and Affected Versions CrushFTP version 11.3.7 50 Description A stored cross-site scripting XSS issue exists in the CrushFTP Admin Panel, specifically within the Reports / 'Who Created Folder' section. Authenticated attackers who have folder creation permissions can...
PT-2025-45143
Name of the Vulnerable Software and Affected Versions Dell CloudLink versions prior to 8.1.1 Description Dell CloudLink versions prior to 8.1.1 have a flaw that allows a user with elevated privileges to potentially escalate their privileges further or access the database, potentially leading to t...
PT-2025-45348
Name of the Vulnerable Software and Affected Versions containerd versions 0.1.0 through 1.7.28 containerd versions 2.0.0-beta.0 through 2.0.6 containerd versions 2.1.0-beta.0 through 2.1.4 containerd versions 2.2.0-beta.0 through 2.2.0-rc.1 Description containerd is an open-source container runti...
PT-2025-43150
Name of the Vulnerable Software and Affected Versions designthemes Solar Energy versions through 3.5 Description The software contains a flaw due to deserialization of untrusted data, which can lead to object injection. Recommendations Versions prior to 3.5 should be updated...
EUVD-2025-2877
Malicious code in bioql PyPI...
EUVD-2023-55657
Malicious code in bioql PyPI...
EUVD-2024-0483
Malicious code in bioql PyPI...
EUVD-2025-27271
Malicious code in bioql PyPI...