RLSA-2026:19141 Important: PackageKit security update

PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architecture API. Security Fixes: PackageKit: race condition vulnerability leads to arbitrary package installation as root CVE-2026-41651 For more details abou...

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

GHSA-VV9J-GJW2-J8WP yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

EUVD-2026-31338

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

Security update for PackageKit (important)

openSUSE security update: security update for packagekit ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20646-1 Rating: important References: bsc1262220 Cross-References: CVE-2026-41651 CVSS scores: CVE-2026-41651 SUSE : 8.8...

RockyLinux 8 : PackageKit (RLSA-2026:11635)

The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:11635 advisory. PackageKit: race condition vulnerability leads to arbitrary package installation as root CVE-2026-41651 Tenable has extracted the preceding description block...

USN-8195-3 packagekit vulnerability

USN-8195-1 fixed a vulnerability in PackageKit. This update provides the corresponding fix to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that PackageKit incorrectly handled certain transactions. A local attacker could use this issue to...

USN-8195-2 packagekit vulnerability

USN-8195-1 fixed a vulnerability in PackageKit. This update provides the corresponding update to Ubuntu 26.04 LTS. Original advisory details: It was discovered that PackageKit incorrectly handled certain transactions. A local attacker could use this issue to install arbitrary packages as root,...

CVE-2025-69604

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

EUVD-2025-206519

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

MAL-2025-188311 Malicious code in node-config-pulsar-buffer-luna (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e8c0022a09dadf9f316bef3237889774793b25526950d9d077e09de84fbaa55 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2017-11476

Malware in sbrugna...

EUVD-2008-3237

Malware in sbrugna...

EUVD-2025-14867

Malicious code in bioql PyPI...

GHSA-X698-5HJM-W2M5 pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages

Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Thi...

CVE-2021-30070

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk parameter in the update request being transmitted to the operating system's package manager...

SUSE CVE-2025-3931

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks,...

CVE-2025-3931

Yggdrasil (the system daemon that uses a D-Bus message broker to route data to worker processes) has a local privilege escalation flaw (CVE‑2025‑3931) due to missing authentication/authorization when dispatching messages to workers. An attacker with local system access could leverage this unprote...

yggdrasil: Local privilege escalation in yggdrasil

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks,...

Design/Logic Flaw

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk parameter in the update request being transmitted to the operating system's package manager...