CVE-2026-50545

Fission (Kubernetes-native serverless) prior to version 1.24.0 allowed Environment.spec.runtime.podSpec and spec.builder.podSpec passthrough without validation, and MergePodSpec could propagate dangerous fields into generated pods. This CVE—CVE-2026-50545—describes a PodSpec injection with potent...

CVE-2026-50545 Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous...

ROOT-APP-NPM-CVE-2026-27980 CVE-2026-27980 in @rootio/next - Patched by Root

Root has patched CVE-2026-27980 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44573 CVE-2026-44573 in @rootio/next - Patched by Root

Root has patched CVE-2026-44573 in the @rootio/next package for Root:npm. Multiple fixed versions available...

Malicious code in crypto-promise-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00594a3ae015e55e13c94c904866eae7b86a39b904b2d79469c4b59508c3918f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5507 Malicious code in crypto-promise-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00594a3ae015e55e13c94c904866eae7b86a39b904b2d79469c4b59508c3918f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in anaylze-json (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7a24ff6c7af790535067ae83e9bba9a3b741da26221ac8738911ed6a8fc0aa24 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-48860 Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl inettlsdist module allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inettlsdist:checkip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead...

Malicious code in nw-demo-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f0c784f9f2bc00678e2648cce9c110ad5084c595b42f80e086bc8dbfbe034359 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-71330

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...

MAL-2026-5504 Malicious code in @easytipsportal/pos-adapters (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2b3beea7d832b4efd2ebc9c3a8eb2ffe1507564985414f7cf399abbd8fc55bc6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in argoncrypt (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 94563f3221aa73ae8a4de5195a6f6a3e8cef16eb4c1f03bc8d1adc9ce9b72679 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npmjs_web3-common (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2b691e4c1a13cf8174fdf8653d757594f18057650310bc89e376caa806602d3b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5509 Malicious code in npmjs_truffle-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25fbc74fbe261cc7bba8c1f9005f7b7573aff1240a5ac8bbf831a3ce8a7c23e1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in solc-abi (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5ecbb6619ae13314417faab35b315155c9a55f98dfdb707fe44edfe1f7e7356 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in solc-compiler (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6db07dc6d910303b81dcfab09279484fcfa83409addff755a29d58b1d0dff495 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

EUVD-2025-210106

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

CVE-2025-71329 image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

CVE-2025-71330 image-size 2.0.2 Denial of Service via Malformed ICNS Image Parsing

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to...

Malicious code in graphbase-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bcdb883b3cbdcf4216f99f55d52d1b93db24271ddcf4a1e232f444a75709f76a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...