CVE-2026-44482 soundcloud-rpc: Remote Code Execution via XSS in Track Title

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CVE-2026-44482

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CVE-2026-44482

CVE-2026-44482 affects the SoundCloud Client app (soundcloud-rpc) built on Electron. Before 0.1.8, a track title could contain an HTML payload that, via the preload API window.soundcloudAPI.sendTrackUpdate and IPC to the Electron main process, is rendered as raw HTML in privileged views with Node...

CVE-2026-41206

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in...

CVE-2026-41206

Summary: CVE-2026-41206 affects PySpector, a Python SAST framework. The vulnerability lies in the plugin security validator’s static analysis in the function/class handling plugin loading via PluginSecurity.validate_plugin_code. Before version 0.1.8, the blocklist is incomplete and can be bypasse...

CVE-2026-41206

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in...

CVE-2026-41206 PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in...

EUVD-2026-25160

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in...

PT-2026-34599

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in...

CVE-2026-40576

excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated...

CVE-2026-5559

A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function issafeast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may...

PyBlade 安全漏洞

PyBlade is a lightweight and efficient Python template engine developed by Antares’ individual developers, supporting component-based development. Versions 0.1.8-alpha and 0.1.9-alpha of PyBlade contain security vulnerabilities, which stem from the improper handling of special elements within the...

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the islikelysafe, checksafety, --check-safety, alwayschecksafety and checksafety interfaces. An attacker can execute arbitra...

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the checksafety function. An attacker can trigger outbound TCP connections during deserialization by crafting malicious pick...

WordPress plugin SpotBot 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

Malicious code in hub-blockly (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a569a2ddf66ac93b021560bb8b3ef62f8c0a81db49d53de3ce5e1648b68de76f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Yii2 FileAPI Widget vulnerable to Cross-site Scripting

A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched...

CVE-2017-20158 vova07 Yii2 FileAPI Widget UploadAction.php run cross site scripting

UNSUPPORTED WHEN ASSIGNED A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site scripting. The...

yii2 跨站脚本漏洞

Yii is a component-based, high-performance PHP framework for developing large-scale Web applications developed by the YII team. A cross-site scripting vulnerability exists in version 0.1.8 and earlier versions of yii2, which stems from incorrect manipulation of the parameter file resulting in...

PYSEC-2022-42993

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...