@squawk/mcp (=0.4.1) potentially affected by unknown CVE via @squawk/notams (=0.2.3)

@squawk/notams NPM version =0.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on @squawk/notams and may be impacted: - @squawk/mcp =0.4.1 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3451...

@squawk/mcp (>=0.2.0 <=0.9.0) potentially affected by unknown CVE via @squawk/icao-registry (>=0.2.3 <=0.5.1)

@squawk/icao-registry NPM version =0.2.3, =0.2.0, =0.9.0 Source cves: unknown CVE Source advisory: SNYK:JS-SQUAWKICAOREGISTRY-16640891...

CVE-2026-31830

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

yggdrasil-worker-package-manager security update

0.2.3-4 - Bump release for rebuild...

Unchecked Return Value

Overview Affected versions of this package are vulnerable to Unchecked Return Value due to improper handling of the return value from the verifyintoto function. An attacker can cause the verification process to incorrectly indicate success for DSSE bundles with mismatched in-toto subject digests ...

CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

Sigstore 安全漏洞

Sigstore is an open-source software signature verification library developed by sigstore. Versions of Sigstore prior to 0.2.3 contained security vulnerabilities. These vulnerabilities stemmed from the improper propagation of failure messages during the verification process, which could lead to...

PT-2026-24484

Name of the Vulnerable Software and Affected Versions sigstore-ruby versions prior to 0.2.3 Description The software does not correctly handle verification failures when the artifact digest does not match the digest in the in-toto attestation subject. Specifically, the Sigstore::Verifierverify...

GHSA-V2XR-WVRV-P969 RAGAS has an Arbitrary File Read vulnerability

An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrievedcontexts parameter when handling multimodal inputs...

CVE-2025-45691

An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrievedcontexts parameter when handling multimodal inputs...

CVE-2021-31651

Cross Site Scripting XSS vulnerability in neofarg-cms 0.2.3 allows remoate attacker to run arbitrary code via the copyright field in copyright settings...

CVE-2023-25452

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Michael Pretty prettyboymp CMS Press plugin = 0.2.3 versions...

EUVD-2007-5120

Malware in sbrugna...

EUVD-2019-0115

Malware in sbrugna...

EUVD-2019-7079

Malware in sbrugna...

EUVD-2023-49920

Malicious code in bioql PyPI...

cc.ddrpa.dorian.polystash:polystash-spring-boot-starter (=1.0.0), cc.ddrpa.dorian:forvariz-spring-boot-starter (>=1.0.0 <=1.1.0) +976 more potentially affected by CVE-2025-59952 via io.minio:minio (>=0.2.3 <=8.5.9)

io.minio:minio MAVEN version =0.2.3, =1.0.0, =1.0, =1.0.1, =1.3.1, =1.0.1, =1.3.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =0.2.2, =11.0.1-RELEASE, =12.0.1-RELEASE and more Source cves: CVE-2025-59952 Source advisory: OSV:GHSA-H7RH-XFPJ-HPCM...

CVE-2025-59141 [email protected] contains malware after npm account takeover

simple-swizzle swizzles function arguments. On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect...

simple-swizzle 安全漏洞

simple-swizzle is a codebase by Josh Junon Personal Developer. A security vulnerability exists in version 0.2.3 of simple-swizzle that stems from a phishing attack resulting in account takeover and implanted malware that may redirect cryptocurrency transactions...