CVE-2026-42089

A flaw was found in Yeoman Environment. This vulnerability allows an attacker to install arbitrary packages and execute code during command-line interface CLI bootstrap. This occurs because the software installs missing local generator packages from caller-supplied names without user confirmation...

CVE-2026-42089 yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass...

CVE-2026-42089

The CVE concerns yeoman-environment. Vulnerable versions 2.9.0 through 6.0.0 install missing local generator packages from attacker-controlled names without user confirmation, via installLocalGenerators() calling repository.install(). This can cause arbitrary package installation and code executi...

RHEL 7 : PackageKit (RHSA-2026:22146)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:22146 advisory. PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architectu...

RLSA-2026:19141 Important: PackageKit security update

PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API. Security Fixes: PackageKit: race condition vulnerability leads to arbitrary package installation as root CVE-2026-41651 For more details abou...

GHSA-VV9J-GJW2-J8WP yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

EUVD-2026-31338

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

Security update for PackageKit (important)

openSUSE security update: security update for packagekit ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20646-1 Rating: important References: bsc1262220 Cross-References: CVE-2026-41651 CVSS scores: CVE-2026-41651 SUSE : 8.8...

RockyLinux 8 : PackageKit (RLSA-2026:11635)

The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:11635 advisory. PackageKit: race condition vulnerability leads to arbitrary package installation as root CVE-2026-41651 Tenable has extracted the preceding description block...

USN-8195-3 packagekit vulnerability

USN-8195-1 fixed a vulnerability in PackageKit. This update provides the corresponding fix to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that PackageKit incorrectly handled certain transactions. A local attacker could use this issue to...

USN-8195-2 packagekit vulnerability

USN-8195-1 fixed a vulnerability in PackageKit. This update provides the corresponding update to Ubuntu 26.04 LTS. Original advisory details: It was discovered that PackageKit incorrectly handled certain transactions. A local attacker could use this issue to install arbitrary packages as root,...

CVE-2025-69604

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

EUVD-2025-206519

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

MAL-2025-188311 Malicious code in node-config-pulsar-buffer-luna (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e8c0022a09dadf9f316bef3237889774793b25526950d9d077e09de84fbaa55 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2008-3237

Malware in sbrugna...

EUVD-2017-11476

Malware in sbrugna...

EUVD-2025-14867

Malicious code in bioql PyPI...

GHSA-X698-5HJM-W2M5 pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages

Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Thi...

CVE-2021-30070

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk parameter in the update request being transmitted to the operating system's package manager...