1763 matches found
CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...
CVE-2026-54286
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...
CVE-2026-53571
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
Malicious code in routecraft (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0 [email protected] ships verbatim Express.js source lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js —...
MAL-2026-6229 Malicious code in routecraft (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0 [email protected] ships verbatim Express.js source lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js —...
EUVD-2025-210212
Netskope was notified about a potential gap in its Netskope Client for Windows systems where a malicious insider with administrative privileges can potentially tamper with the customer IOCTL by sending crafted IOCTL requests to the driver. A successful exploit can result in the bypassing of all...
CVE-2026-48818 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s...
CVE-2026-12466
Summary (CVE-2026-12466) : A heap buffer overflow in WebRTC within Google Chrome on Windows before version 149.0.7827.155 allows remote code execution via a crafted HTML page. Multiple connected sources corroborate the Windows/WebRTC/chrome vector and fixed version, signaling a high-severity Chro...
CVE-2026-12466
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: High...
CVE-2026-12449
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. Chromium security severity: High...
CVE-2026-12444
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. Chromium security severity: High...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via insufficient sanitization of input passed to the aria2c external...
Mozilla Thunderbird < 152.0
The version of Thunderbird installed on the remote Windows host is prior to 152.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-60 advisory. - Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152...
Directory Traversal
Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Directory Traversal due to improper checks for file system paths on Windows platforms in isFileLoadingAllowed function. An attacker can obtain sensitive file contents by bypassing path...
CVE-2025-14098 Avira antivirus engine heap buffer OOB write when scanning a malformed MS-DOS executable file
Heap buffer out-of-bounds write vulnerability due to integer overflow in Avira Antivirus engine when scanning a malformed MS-DOS executable file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux...
CVE-2025-7010 Avast antivirus stack overflow when scanning a malformed PDF file
Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, an...
EUVD-2026-36349
Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...
PT-2026-49014
Name of the Vulnerable Software and Affected Versions Avast Antivirus versions prior to VPS 25021310 AVG Antivirus versions prior to VPS 25021310 Norton Antivirus versions prior to VPS 25021310 Avast One versions prior to VPS 25021310 Avast Business Antivirus versions prior to VPS 25021310...
PT-2026-49010
Name of the Vulnerable Software and Affected Versions Avast Antivirus versions prior to VPS 25040308 AVG Antivirus versions prior to VPS 25040308 Norton Antivirus versions prior to VPS 25040308 Avast One versions prior to VPS 25040308 Avast Business Antivirus versions prior to VPS 25040308...
CVE-2026-12031
Google Chrome on Windows before 149.0.7827.115 is affected by CVE-2026-12031 due to an inappropriate implementation in Views that can allow a remote attacker, who has compromised the renderer process, to potentially escape the sandbox via a crafted HTML page. The issue is rated High (CVSS 3.1: AV...