Emerson Dixell XWEB-500 - Arbitrary File Write

Emerson Dixell XWEB-500 contains an arbitrary file write caused by unauthenticated access to /cgi-bin/logoextraupload.cgi, /cgi-bin/calsave.cgi, and /cgi-bin/loutils.cgi, letting attackers write any file on the system, exploit requires no authentication. id: CVE-2021-45420 info: name: Emerson...

Malicious code in react-simple-utils-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 038aa6bccd8008fec1f309d718e53dd4b89e4ca15a976c6a80652e0dd58a5b58 Package advertises itself as 'a simple date formatting utility for React projects' 3-function index.js, but ships a postinstall.js that runs on every...

Malicious code in @outmarket/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0 package.json declares a postinstall lifecycle script that fires automatically on npm install. The inline node -e payload uses hex-encoded property...

MAL-2026-6271 Malicious code in node-fetch-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308 On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host node22.lunes.host:3258, authenticates with a 5-minute rolling HMAC-SHA256 token,...

CVE-2025-71379

vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...

EUVD-2025-210290

vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...

CVE-2025-71379

Vulnerability summary: vLLM versions 0.6.3–0.8.x (i.e.,

Astra Linux – Vulnerability in libraw

In LibRaw, there is an out-of-bounds read vulnerability within the “simpledecoderow” function libraw\src\x3f\x3futilspatched.cpp, which can be triggered by an image with a large rowstride field...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdwutils: avoid NULL deref when devmkasprintf fails devmkasprintf may return NULL when memory allocation fails. However, the debug message prints cpus-dainame before checking it. Move the devdbg call after the NULL chec...

CVE-2026-12505

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted requestkey payload to trick the root-own...

CVE-2026-12505 Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted requestkey payload to trick the root-own...

CVE-2026-12505 Cifs-utils: local privilege escalation via forged cifs.spnego key description in cifs.upcall

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted requestkey payload to trick the root-own...

CVE-2026-12505

CVE-2026-12505 concerns the cifs-utils package. The issue: the root-owned cifs.upcall fails to securely drop root privileges before consulting user information, allowing a local, low-privilege attacker to craft a request_key payload that causes the process to enter a controlled environment with a...

EUVD-2026-37834

A flaw was found in the cifs-utils package where the cifs.upcall helper fails to securely drop its root privileges before looking up user information inside a user-controlled environment. A local, low privileged attacker can exploit this by using a crafted requestkey payload to trick the root-own...

ROOT-APP-MAVEN-CVE-2022-29599 CVE-2022-29599 in io.root.org.apache.maven.shared:maven-shared-utils - Patched by Root

Root has patched CVE-2022-29599 in the io.root.org.apache.maven.shared:maven-shared-utils package for Root:Maven. Multiple fixed versions available...

Malicious code in node-path-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9 Package name node-path-utils and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core path...

MAL-2026-5985 Malicious code in node-path-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9 Package name node-path-utils and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core path...

Malicious code in classbreeze-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e19daf4f946816f5ba3c6e592eacc980861b281c6752b738de57fdd31f49279d The package masquerades as a Tailwind plugin: README and the top of src/index.js are a verbatim clone of @tailwindcss/typography...

CVE-2026-49875

A flaw was found in Apache CXF. The EndpointReferenceUtils and W3CMultiSchemaFactory classes within Apache CXF construct a SAXParserFactory without proper security configurations. This oversight enables out-of-band OOB external entity resolution, a type of XML External Entity XXE vulnerability. A...

MAL-2026-5748 Malicious code in chai-utils-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7 Package name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main index.js call...