Malicious code in chai-as-repaired (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76 Package name 'chai-as-repaired' is a 1-edit typosquat of the popular 'chai-as-promised' chai plugin 1M weekly downloads. The published code is...

USN-8279-2: Linux kernel (GCP) vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 Several security issues were discovered in th...

USN-8279-2 linux-gcp-5.15 vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 Several security issues were discovered in th...

CVE-2026-4843

The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the processajaxrestoreaction function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2026-46680 vulnerabilities

Vulnerabilities for packages: helm-push, helm-operator, docker-cli-buildx, kots, skaffold, eksctl, spegel, dagger, opa-envoy, envoy-gateway, newrelic-infrastructure-agent, headlamp, cluster-api-helm-controller, kubescape, k8sgpt, grype, kargo, containerd, syft, opa, helm-mapkubeapis, k3s,...

GHSA-FQW6-GF59-QR4W vulnerabilities

Vulnerabilities for packages: helm-push, helm-operator, docker-cli-buildx, kots, skaffold, eksctl, spegel, dagger, opa-envoy, envoy-gateway, newrelic-infrastructure-agent, headlamp, cluster-api-helm-controller, kubescape, k8sgpt, grype, kargo, containerd, syft, opa, helm-mapkubeapis, k3s,...

EUVD-2026-31491

The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the modelfile configuration field in config.json. When a model's config.json specifies a modelfile pointing to a Python...

USN-8280-2: Linux kernel (Azure)vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 Several security issues were discovered in th...

EUVD-2026-31493

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trustremotecode=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.frompretrained to import and execute arbitrary Python files included in any model pulled fr...

CVE-2026-46680 vulnerabilities

Vulnerabilities for packages: google-osconfig-agent, trivy-fips, helm-operator, docker-cli-buildx, eksctl, chaos-mesh, kubescape, docker-cli-buildx-fips, packer, wolfictl, cluster-api-helm-controller-fips, osv-scanner, consul-k8s, amazon-ecs-agent-fips, datadog-agent, steampipe, envoy-gateway-fip...

CVE-2026-40172

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Strapi

CVE-2026-27886 Vulnerability Assessment Tool Safely detect wh...

CVE-2026-40172 authentik: Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

CVE-2026-40166

authentik contains an elevation of privilege in its OAuth2 access_tokens API (GET /api/v3/oauth2/access_tokens/) where authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential providers they previously authenticated against. This exposed i...

CVE-2026-5171

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through...

CVE-2026-5171

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through...

CVE-2026-8477

CVE-2026-8477 describes an issue in Devolutions Server where the sealed-entry workflow for entry sensitive-data retrieval can be bypassed: an authenticated user with access to a sealed entry could fetch its sensitive data without triggering the unseal audit via a crafted API request. Affected ver...

CVE-2026-8477

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue...

CVE-2026-9246

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 throug...

CVE-2026-9224

CVE-2026-9224 : The issue in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request due to missing authorization in the user profile update feature. Affected: Devolutions Server 2026.1.6.0–2026.1.16.0 and 2025.3.20.0 and e...