Malicious Package

Overview validate-api-key is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in validate-api-key (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73c2249a9b57bfab0277840b52fc1774c096dd7c3022b9bd0d0ae5cfeda0b14c The package validate-api-key was found to contain malicious code. Source: ghsa-malware db221657101473a5da0e59194e2ba30d99b576faae8b3e7ff21c5d68b83ff1...

MAL-2026-3828 Malicious code in validate-api-key (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73c2249a9b57bfab0277840b52fc1774c096dd7c3022b9bd0d0ae5cfeda0b14c The package validate-api-key was found to contain malicious code. Source: ghsa-malware db221657101473a5da0e59194e2ba30d99b576faae8b3e7ff21c5d68b83ff1...

EUVD-2026-30760

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash...

CVE-2026-6341

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-2325

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to...

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

Security update for zypper-docker

This update for zypper-docker fixes the following issues CVE-2026-2808: github.com/hashicorp/consul: unvalidated user-supplied file paths can lead to arbitrary file reads through the Vault Kubernetes authentication provider bsc1259563. CVE-2026-33186: google.golang.org/grpc: authorization bypass...

CVE-2026-6341

Mattermost advisories describe a vulnerability in Mattermost Plugins affecting versions

CVE-2026-6341

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-2325 Improper Input Validation in MS Teams Meetings API Handler

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to...

CVE-2026-2325 Improper Input Validation in MS Teams Meetings API Handler

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to...

CVE-2026-2325

CVE-2026-2325 affects Mattermost versions 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3. The issue is an improper input validation where the start meeting API endpoint (/api/v1/meetings) does not limit the request body size, enabling an authenticated attacker to cause resou...

BIT-GITLAB-2026-1322 Business Logic Errors in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a readapi scoped OAuth application to create issues and add comments to issues in private projects due t...

BIT-POSTGRESQL-2026-6479 PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AFUNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18....

EUVD-2026-30730

A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is...

CVE-2026-8786

Technical details beyond the summary are not publicly available in the provided documents. No confirmed affected products, versions, or remediation are disclosed here. Monitor for updates for additional specifics and fixes.