MAL-2026-423 Malicious code in oce-validate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cc6b17601336bdff3872b33d794187edf7b7a3779e96d01d0eb1081e043ecf5 The package oce-validate was found to contain malicious code. Source: ghsa-malware 4e0413e75c3bcfe39d1a45db99c6ac3968db6c708667e30eb88879f9fd483331 A...

Malicious Package

Overview oce-validate is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in oce-validate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cc6b17601336bdff3872b33d794187edf7b7a3779e96d01d0eb1081e043ecf5 The package oce-validate was found to contain malicious code. Source: ghsa-malware 4e0413e75c3bcfe39d1a45db99c6ac3968db6c708667e30eb88879f9fd483331 A...

EUVD-2026-3731

Malicious code in oce-validate npm...

MiracleLinux 7 : rh-nodejs14-nodejs-14.15.4-2.el7 (AXSA:2021-1397:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-1397:01 advisory. nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS CVE-2020-7754 nodejs-y18n: prototype pollution...

MiracleLinux 7 : rh-nodejs12-nodejs-nodemon-2.0.3-1.el7, rh-nodejs12-nodejs-12.20.1-1.el7 (AXSA:2021-1451:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-1451:01 advisory. nodejs-mixin-deep: prototype pollution in function mixin-deep CVE-2019-10746 nodejs-set-value: prototype pollution in function set-value...

CVE-2025-12718

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcfvalidateform' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers t...

CVE-2025-12718

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcfvalidateform' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers t...

CVE-2025-12718 Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcfvalidateform' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers t...

CVE-2025-12718

CVE-2025-12718 pertains to the Quick Contact Form plugin for WordPress. A vulnerability in the qcf_validate_form AJAX endpoint permits a user-controlled parameter to set the from address, enabling unauthenticated attackers to relay mail through the server to arbitrary recipients (Open Mail Relay)...

PT-2026-3337

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf validate form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-004761)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004761 advisory. An integer overflow flaw was found in the Linux kernels virtio device driver code in the way a user triggers the vhostvdpaconfigvalidate function. This flaw allows a...

SUSE CVE-2025-68783

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices getmeterlevelsfromurb parses the 64-byte meter packets sent by the device and fills the per-channel arrays meterlevel, complevel and masterlevel in struct...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001969)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001969 advisory. The cipsov4validate function in net/ipv4/cipsoipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service NULL pointer dereference and...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002271)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002271 advisory. cipsov4validate in include/net/cipsoipv4.h in the Linux kernel before 3.11.7, when CONFIGNETLABEL is disabled, allows attackers to cause a denial of service infinite...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001020)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001020 advisory. cipsov4validate in include/net/cipsoipv4.h in the Linux kernel before 3.11.7, when CONFIGNETLABEL is disabled, allows attackers to cause a denial of service infinite...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000998)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000998 advisory. The cipsov4validate function in net/ipv4/cipsoipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service NULL pointer dereference and...

CVE-2023-40035

Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable...

CVE-2026-21686

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium ICC color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in CIccTagLutAtoB::Validate. This vulnerability affects users of the iccDEV...

(0Day) Langflow code Code Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from th...