PT-2026-49583

A Denial of Service DoS vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted,...

ROS-20260615-73-0014

The vulnerability of the smartcardunpackreadsizealign function libfreerdp/utils/smartcardpack.c:1703 is related to the use of the assert or similar operator in the RDP client FreeRDP. Exploiting this vulnerability may allow a remote attacker to cause the application to terminate abnormally...

MAL-2026-5772 Malicious code in npx-whoami-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174 The package's only code file index.js, also registered as the package's bin entry unconditionally executes require'childprocess'.execSync"bash -c...

MAL-2026-5762 Malicious code in npm-sandbox-research-e9f0 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a18a9932f78294e22aa0a85077b9318233ab0952bc8788ae8987fce3e5002c93 Package declares a postinstall hook "postinstall": "node run.js" that executes automatically on npm install. The tarball ships beacon scripts...

openSUSE 16 Security Update : java-21-openj9 (openSUSE-SU-2026:20947-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20947-1 advisory. Changes in java-21-openj9: - Make post scripts less noisy bsc1267355 - Use libalternatives instead of update-alternatives for distributions wher...

MAL-2026-5730 Malicious code in class-synth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271 class-synth is advertised as a small class/style/date utility library, but its main entry dist/index.js contains a hidden top-level async IIFE init...

CVE-2026-53868

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

File Browser has a DoS Vulnerability via Public Login API

Summary Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the...

CVE-2026-54394

MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/...

CVE-2026-54394 MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files

MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/...

kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()

A use-after-free flaw was found in the Linux kernel's iSCSI target subsystem. In the iscsitdecconnusagecount function, complete is called while still holding the conn-connusagelock spinlock. The waiting thread such as iscsitcloseconnection may wake up immediately and free the iscsitconn structure...

MAL-2026-5715 Malicious code in workflow-postgres-setup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963 The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry index.js is absent from the...

EUVD-2026-32914

pypdf: Possible large memory usage for large offsets for layout mode text...

pypdf: Possible large memory usage for large offsets for layout mode text

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. Patches This has been fixed in pypdf==6.12.0. Workarounds If developers are unable to immediately upgrade, they should...

GHSA-CJ93-CHG6-VGV8 pypdf: Possible large memory usage for large offsets for layout mode text

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. Patches This has been fixed in pypdf==6.12.0. Workarounds If developers are unable to immediately upgrade, they should...

CVE-2026-48165 MariaDB: unsafe usage of `wsrep_sst_receive_address` values on the joiner side

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrepsstreceiveaddress or wsrepsstdonor global system...

Malicious Package

Overview vite-react-toolkit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-48059 Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nest...

Malicious Package

Overview ecto-flag-read-m7p2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview ecto-corsair-flag-x9m4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...