500 matches found
CVE-2026-8428
Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...
CVE-2026-46740
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a stats...
CVE-2026-23558
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then be freed while...
CVE-2026-23558
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then be freed while...
CVE-2026-23558
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then be freed while...
CVE-2026-23558 grant table v2 race in status page mapping
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then be freed while...
CVE-2026-23558
CVE-2026-23558 describes a grant table v2 race in status page mapping for the Xen hypervisor. In XSA-379/387 scenarios, when a HVM/PVH guest changes grant table version from v2 to v1 while XENMEM_add_to_physmap maps status pages, some status pages may be freed even as their mappings are still ins...
CVE-2026-23558 grant table v2 race in status page mapping
The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status pages via XENMEMaddtophysmap. Some of the status pages may then be freed while...
CVE-2026-22816
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these...
Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-003401)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003401 advisory. Race condition in net/packet/afpacket.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service use-after-free by...
MAL-2025-188136 Malicious code in mui-auth-betelgeuse-xo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0b2fd7a8c638947ae3bfc4c81fb4a2b89e7cee50538831189f80aab8974dcde This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187168 Malicious code in geomorphology-cressida-sync-atlas (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 11711063a044e5d7e1bc0cfa7de9648f003912b46d0a0be5861aae49d90d7d8f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-185710 Malicious code in awk-validate-function-refactor-delta (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ee9043f2d48fc419e060a2a442bb300237e77f77df1e7f96ec15cfcf8266628d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in html-webpack-plugin-zenobia-nebula-antares (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bda7c207337434698205e1a554e373872174bfe0253efa98b12e47eb140c345e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in spectroscopy-webdriver-manager-await-bootstrap (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd63e8f2ff15aafdf183c39b1a3af9623710f2abe9e62e6cf0138f4389f6a0ec This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in chakra-ui-fornax-umbriel-wezen (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3365ea447d8e6476fd1db57f2e6c33bf854a5c9ab298ad0d5aaecd0e6f783ed2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in mini-css-extract-plugin-nova-titan-duplex (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ea7a868756de9bcc6a3ace304f91da8cc120146b8b0589d6581391a679daf16 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in eridanus-antimatter-figures-dotenv-safe (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc9f078e333a05d5703ffb66d84694f1b93317ddb74c0ff6cd1be5c855ec5899 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in passport-semantic-ui-miranda-dotenv-safe (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0a277e6b110c6a4ddfff8bbead45f6d4b7425d4afb2864b265afba03f6b45bfc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189353 Malicious code in sass-loader-cluster-link-jekyll (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 457c2e864673b1e699b6d103dedadc301fb27dd6c6ceb5e99f0f2acfef90a5e3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...