Skip to main content

CWE-353

Missing Support for Integrity Check

29 CVEs Avg CVSS 6.9 MITRE
1
CRITICAL
12
HIGH
16
MEDIUM
0
LOW
3
POC
0
KEV

Monthly

CVE-2026-48995 npm MEDIUM POC PATCH GHSA This Month

Missing integrity verification in pnpm's GitHub codeload dependency resolution (versions prior to 10.33.4 and 11.0.7) enables a compromised or man-in-the-middle `codeload.github.com` server to deliver arbitrary malicious tarballs that pnpm installs without hash validation. Any developer project that sources dependencies from GitHub via pnpm is exposed when running `pnpm install` on affected versions, with potential for arbitrary code execution during the install lifecycle. No public exploit code exists and there is no CISA KEV listing, but the theoretical impact includes full developer workstation compromise and downstream supply chain contamination.

Information Disclosure Pnpm
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-7574 HIGH This Week

Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Apple Claude Desktop Cowork
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-42428 npm HIGH PATCH This Week

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-33261 MEDIUM PATCH This Month

PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.

Denial Of Service Suse
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-3856 MEDIUM PATCH This Month

CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Microsoft IBM Information Disclosure Db2 Recovery Expert Windows
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-10010 MEDIUM This Month

Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).

Linux RCE Cryptopro Secure Disk Windows Linux Kernel
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-15364 HIGH This Week

Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21437 MEDIUM PATCH This Month

Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.

Python Eopkg
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-46917 HIGH POC This Week

Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR01 does not validate file attributes or the contents of /root during integrity validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Microsoft Vynamic Security Suite Windows
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-48500 HIGH This Month

A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Big Ip Access Policy Manager Big Ip Access Policy Manager Client macOS
NVD
CVSS 4.0
7.0
EPSS
0.0%
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Missing integrity verification in pnpm's GitHub codeload dependency resolution (versions prior to 10.33.4 and 11.0.7) enables a compromised or man-in-the-middle `codeload.github.com` server to deliver arbitrary malicious tarballs that pnpm installs without hash validation. Any developer project that sources dependencies from GitHub via pnpm is exposed when running `pnpm install` on affected versions, with potential for arbitrary code execution during the install lifecycle. No public exploit code exists and there is no CISA KEV listing, but the theoretical impact includes full developer workstation compromise and downstream supply chain contamination.

Information Disclosure Pnpm
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Apple Claude Desktop Cowork
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.

Denial Of Service Suse
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Microsoft IBM Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).

Linux RCE Cryptopro Secure Disk +2
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.

Python Eopkg
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC This Week

Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR01 does not validate file attributes or the contents of /root during integrity validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Microsoft Vynamic Security Suite +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Month

A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Big Ip Access Policy Manager +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy