•about 6 hours ago•CVE-2026-55699
6.5CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
5 views•6 min read
•about 10 hours ago•CVE-2026-55700
7.1CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.
8 views•4 min read
•about 12 hours ago•GHSA-WW5P-J6CJ-6MQQ
5.5GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs
GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.
6 views•7 min read
•about 12 hours ago•GHSA-FR4H-3CPH-29XV
7.1GHSA-FR4H-3CPH-29XV: Path Traversal and Directory Hijacking in pnpm and pacquet Dependency Resolution
GHSA-FR4H-3CPH-29XV is a high-severity path traversal vulnerability in pnpm and its Rust-based port pacquet. The flaw manifests when using the hoisted node-linker configuration, allowing an attacker to manipulate the lockfile to resolve relative traversal sequences or target reserved subdirectories, leading to arbitrary file write or execution hijacking.
6 views•8 min read
•about 15 hours ago•GHSA-72R4-9C5J-MJ57
7.1GHSA-72R4-9C5J-MJ57: Arbitrary File Deletion via Path Traversal in pnpm patch-remove
A path traversal vulnerability in the pnpm package manager's 'patch-remove' command allows an attacker to delete arbitrary files outside the patches directory. By manipulating configuration files like package.json, an attacker can specify a traversal path that the application deletes recursively without validating the path's containment.
6 views•5 min read
•about 16 hours ago•GHSA-QRV3-253H-G69C
8.3GHSA-QRV3-253H-G69C: Path Traversal and Arbitrary Symlink Creation via configDependencies in pnpm
A high-severity path traversal vulnerability exists in the pnpm package manager. By crafting a malicious lockfile (pnpm-lock.yaml) with path traversal characters in the configDependencies block, an attacker can create arbitrary directories and symlinks outside the project's node_modules/.pnpm-config directory. This exploitation happens automatically during pnpm installation, even when executing with scripts disabled via the --ignore-scripts flag.
6 views•7 min read
•about 17 hours ago•CVE-2026-49340
8.1CVE-2026-49340: Arbitrary File Write via Path Traversal in Gonic Subsonic Playlist Handler
An arbitrary file write vulnerability exists in Gonic, a music streaming server implementing the Subsonic API. Due to an unreachable guard clause combined with missing path containment validation in the playlist storage engine, authenticated users can write playlist contents to arbitrary filesystem paths with overly permissive directory permissions.
8 views•7 min read
•about 19 hours ago•GHSA-985R-Q3QP-299H
8.8GHSA-985R-Q3QP-299H: Incomplete Fix in phpMyFAQ Admin API Enables Privilege Escalation and Account Takeover
An incomplete mitigation of a predecessor vulnerability (GHSA-xvp4-phqj-cjr3 / CVE-2026-35671) in phpMyFAQ leaves sister administrative API endpoints vulnerable to Insecure Direct Object Reference (IDOR). Specifically, the `editUser` and `updateUserRights` endpoints lack object-level access controls, permitting authenticated low-privilege administrators to escalate their privileges or hijack SuperAdmin accounts.
11 views•6 min read
•about 21 hours ago•CVE-2026-48788
8.2CVE-2026-48788: Cross-Site Scripting and Content-Type Spoofing in Remark42 Image Proxy
A critical-severity Cross-Site Scripting (XSS) and Content-Type spoofing vulnerability in Remark42 (versions 1.6.0 through 1.15.0) allows remote attackers to execute arbitrary client-side script code via a crafted image proxy request.
7 views•6 min read
•1 day ago•CVE-2026-53462
5.9CVE-2026-53462: Heap Use-After-Free Vulnerability in ImageMagick Vector Drawing Subsystem
CVE-2026-53462 is a heap Use-After-Free (UAF) vulnerability in ImageMagick's vector drawing subsystem, specifically within the coordinate allocation mechanism in CheckPrimitiveExtent. By parsing a crafted vector image (such as SVG or MVG) with extremely complex primitives, an attacker can trigger a memory reallocation failure. If the application fails to handle this allocation failure cleanly, it leaves a dangling pointer that can subsequently be accessed or freed again, causing memory corruption or an application crash.
8 views•7 min read
•1 day ago•CVE-2026-39832
9.1CVE-2026-39832: Silent Drop of Destination Constraints in golang.org/x/crypto SSH Agent Client
A critical security flaw was identified in the Go package golang.org/x/crypto/ssh/agent. The vulnerability arises during the serialization of key constraints when adding SSH identities to a remote agent or an in-memory keyring. Specifically, custom constraint extensions, such as destination restrictions like restrict-destination-v00@openssh.com, were silently omitted from serialization in client requests. This omission allowed keys to be loaded into the remote agent with zero destination-based restrictions, enabling unauthorized users with access to the agent socket on intermediate hosts to authenticate to any downstream host without policy enforcement. The issue was resolved in version v0.52.0 of the golang.org/x/crypto library.
11 views•7 min read
•1 day ago•CVE-2026-46597
7.5CVE-2026-46597: Remote Denial of Service in golang.org/x/crypto/ssh via AES-GCM Padding Integer Overflow
A high-severity Denial of Service (DoS) vulnerability (CVE-2026-46597 / GO-2026-5013) exists in the golang.org/x/crypto/ssh module before version v0.52.0. The flaw stems from an incorrect operator order during a type conversion of the GCM packet padding size, allowing a remote, unauthenticated attacker to trigger an out-of-bounds slice runtime panic and crash the Go process.
8 views•7 min read