MAL-2026-4427 Malicious code in @rocketreach/rr-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1c16148ad4c13ad5d5cbfe951d9ca934a0912ab5ad75c3b4afee19be86172fa On npm install, both preinstall and postinstall lifecycle hooks execute postinstall.js, which collects host identifiers hostname, platform, arch, OS...

CVE-2026-32621 Apollo Federation has prototype pollution via incomplete key sanitization

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...

CVE-2026-32621 Apollo Federation has prototype pollution via incomplete key sanitization

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...

CVE-2025-14934

NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target...

Stack-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Stack-based Buffer Overflow in the parsing of variable names due to insufficient validation of the length of user-supplied data before copying it into a fixed-length stack-based buffer. An attacker can achieve arbitrary code execution b...

EUVD-2012-2943

Malware in sbrugna...

Command Injection

github.com/shopify/ejson2env is vulnerable to command injection. The vulnerability is due to improper output sanitization, allowing malicious variable names or values to inject unintended commands into stdout...

CVE-2024-40522

There is a remote code execution vulnerability in SeaCMS 12.9. The vulnerability is caused by phomebak.php writing some variable names passed in without filtering them before writing them into the php file. An authenticated attacker can exploit this vulnerability to execute arbitrary commands and...

Amazon Linux 2023 : php8.2, php8.2-bcmath, php8.2-cli (ALAS2023-2024-624)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-624 advisory. The vulnerability allows a remote attacker to bypass implemented security restrictions. The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a...

BIT-GITLAB-2020-13351

Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are =13.0, =13.4.0, =13.5.0, 13.5.2...

CVE-2023-28163

When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.. This vulnerabilit...

CVE-2023-28163

When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.. This vulnerabilit...

Slackware Linux 15.0 / current mozilla-firefox Multiple Vulnerabilities (SSA:2023-101-01)

The version of mozilla-firefox installed on the remote host is prior to 102.10.0esr / 112.0. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2023-101-01 advisory. - Unexpected data returned from the Safe Browsing API could have led to memory corruption and a...

Mozilla Thunderbird < 102.9

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 102.9. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-11 advisory. - Mozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety...

Mozilla Firefox ESR < 102.9

The version of Firefox ESR installed on the remote Windows host is prior to 102.9. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2023-10 advisory. - Mozilla developers Timothy Nikkel, Andrew McCreight, and the Mozilla Fuzzing Team reported memory safety bugs...

Security Vulnerabilities fixed in Firefox 111 — Mozilla

The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. This bug only affects Firefox for Android. Other operating systems are unaffected. By displaying a prompt with a long description, the...

php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications

A vulnerability was found in PHP due to the way PHP handles HTTP variable names. It interferes with HTTP variable names that clash with ones that have a specific semantic meaning. This vulnerability allows network and same-site attackers to set a standard insecure cookie in the victim's browser,...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation due to improper handling of unspecified characters in variable names. An attacker can exploit this vulnerability to manipulate or contaminate HTTP parameters by sending crafted requests with malicious variable...

Caucho Quercus, as distributed in Resin, does not properly handle unspecified characters in the names of variables

Caucho Quercus, as distributed in Resin before 4.0.29, does not properly handle unspecified characters in the names of variables, which has unknown impact and remote attack vectors, related to an "HTTP Parameter Contamination" issue...

GHSA-P332-FW36-4HQX Caucho Quercus, as distributed in Resin, does not properly handle unspecified characters in the names of variables

Caucho Quercus, as distributed in Resin before 4.0.29, does not properly handle unspecified characters in the names of variables, which has unknown impact and remote attack vectors, related to an "HTTP Parameter Contamination" issue...