2202233 matches found
IServ Schoolserver User Enumeration
IServ Schoolserver suffers from a user enumeration vulnerability. The vendor does not feel this is an issue...
CVE-2026-42936
The installer of HYPER SBI 2 insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer...
CVE-2026-12512
The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes...
CVE-2026-12512 Quotes Llama < 3.1.6 - Unauthenticated SQL Injection via sc Parameter
The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes...
CVE-2026-12512
The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes...
Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands
SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access SMA 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 CVSS score: 10.0 - A Server-side...
CVE-2026-42936
The installer of HYPER SBI 2 insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer...
CVE-2026-42936
The installer of HYPER SBI 2 insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer...
CVE-2026-42936
The CVE-2026-42936 entry concerns the HYPER SBI 2 installer, which insecurely loads Dynamic Link Libraries. A local attacker can place a crafted DLL in the installer’s directory, enabling arbitrary code execution with the invoking user’s privileges during installation. The documented impact is hi...
Exploit for CVE-2025-60357
CVE-2025-60357- NoSQLMongoDB Injection Vulnerab...
Malicious code in monogrok (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3369fb16804682addfec56904223d0255c2a0ca6d35481e744221e8252f2000d Package publishes as a generic 'M!T' library with an unrelated Apache-license README, but the tarball contains an offensive spam / phishing /...
Malicious code in core-dotenv (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aad83962ee4db02c1bf43558ed5fe6bf79f66754b070415223d29643a8ff754e core-dotenv presents itself as a dotenv/env-var wrapper. On calling the package's config or get, which lazily invokes config, a worker plugin.worker....
Malicious code in estore-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f5f2a664c7576b3cbf04696ddff717d8b3e9b835693035fa56a23035edef411 package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/d32804ac-1bbb-4100-ab60-95231dd3251c/, sending the...
Malicious code in data-proxy-for-test (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cb07f37b05b892d9785cc03fba0754ea4af3a50fab0ca6bb345ecac52b939a2 Package distributes as data-proxy-for-test while copying the identity author Sergey Parfenyuk, homepage/source pointing at...
Malicious code in ethereum-input-decorder (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94137fcf0aee7d8edb4e15a8bc9be4455fbdf79cb5bf99987b79f0393fdff62c The package name typosquats the legitimate 'ethereum-input-decoder'. Its top-level init.py unconditionally invokes a payload routine on import: it...
Malicious code in polygon-toolkit-validator (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f56f0404b5e3f35ed475dae417f9351d4d149e163598eb72380fb6c025099e12 The package presents itself as a web3/polygon validator but its exported API silently relays caller-supplied data and generated cryptographic materia...
Malicious code in @leviosa86com/leviosa86-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96264a8719e17bd8ec21d47213fe31dec87445e01ff312a1e46af5819e028979 Package @leviosa86com/[email protected] ships src/poc/index.js which shells out via childprocess.exec to collect host identifiers hostname, pwd,...
Malicious code in leviosa86-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 46b0bed6337ffe527af2615fed8ae1ecbb449f6a6cb00afa6381f7811ec88956 [email protected] ships src/poc/index.js which uses childprocess.exec to run a shell pipeline that collects host reconnaissance data hostname,...
Malicious code in ai-pro-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b035f137addcf0118c3d042ece322d0fdde054e4ed283317d3b2adb309e38689 [email protected] is advertised as a Vercel AI SDK provider for Claude via the Claude Agent SDK, but the published tarball ships no code: package.json...
CVE-2026-8919
Permissive Cross-domain Security Policy with Untrusted Domains in ASUS GameSDK allows a remote user to obtain a local user’s NTLM hash by convincing the user to visit a crafted web page that sends a request containing a UNC path to the application’s local service endpoint. This can result in...