USN-7886-1: Python vulnerabilities

It was discovered that Python inefficiently handled expanding system environment variables. An attacker could possibly use this issue to cause Python to consume excessive resources, leading to a denial of service. CVE-2025-6075 Caleb Brown discovered that Python incorrectly handled the ZIP64 End ...

Exploit for PHP External Variable Modification in Juniper Junos

CVE-2023-36845 Ju...

phppgadmin contains an incorrect access control vulnerability

phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters 'subject', 'server', 'database', 'queryid' without proper validation or access...

CVE-2025-13434

A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $SERVER'HOST' causes improper neutralization of http headers for scriptin...

CVE-2025-65100

Isar (integration system for automated root filesystem generation) has a vulnerability in versions 0.11-rc1 and 0.11 where defining ISAR_APT_SNAPSHOT_DATE alone fails to set the correct timestamp for security distributions, potentially causing missed security updates. The issue has been patched i...

Security Bulletin: Logback-Core ≤1.5.18 Conditional Config Processing Flaw Enables ACE via Malicious Config or Env Variable

Summary ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before...

CVE-2025-63604

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the executequery method. The vulnerability stems from the exposure of dangerous Python built-in functions import, getattr, hasattr in...

Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-expression is a WebJar for vega-expression. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

CVE-2025-59840

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...

EUVD-2025-113765

Malicious code in exec-jabbah-dotenv-parse-variables-neptune npm...

EUVD-2025-114392

Malicious code in dotenv-parse-variables-despina-helios-venus npm...

EulerOS 2.0 SP12 : libssh (EulerOS-SA-2025-2332)

According to the versions of the libssh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the sshkdf function responsible for key derivation...

EulerOS 2.0 SP10 : libssh (EulerOS-SA-2025-2420)

According to the versions of the libssh package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to sshgetfingerprinthash...

EUVD-2025-101054

Malicious code in variablehamsterz3n npm...

kernel: tracing/histograms: Fix memory leak problem

In the Linux kernel, the following vulnerability has been resolved: tracing/histograms: Fix memory leak problem This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac. As commit 46bbe5c671e0 "tracing: fix double free" said, the "double free" problem reported by clang static analyzer is: In...

Malicious code in variable_elk-notthedevs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f698ee5c5cc56eddedc13a95d5a90bd8cdfe1812ca0c4d8bd0da7d3413c632f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-75297

Malicious code in variablemeerkat-appteadev npm...

EUVD-2025-77990

Malicious code in variablellamaz3n npm...

Malicious code in variable_harrier_0xrequest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41c37f01830d5a5fb385de9393cb00a756b25c8d5af979a89e6c2ea31248b45e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-80142

Malicious code in variableharrier0xrequest npm...