RHEL 9 : PackageKit (RHSA-2026:19354)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:19354 advisory. PackageKit is a D-Bus abstraction layer that allows the session user to manage packages in a secure way using a cross-distribution, cross-architectu...

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

USN-8195-3: PackageKit vulnerability

USN-8195-1 fixed a vulnerability in PackageKit. This update provides the corresponding fix to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that PackageKit incorrectly handled certain transactions. A local attacker could use this issue to...

USN-8195-1 packagekit vulnerability

It was discovered that PackageKit incorrectly handled certain transactions. A local attacker could use this issue to install arbitrary packages as root, possibly resulting in privilege escalation...

EUVD-2025-206137

Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package...

CVE-2025-68619 Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugi...

Mautic user without privileged access to the Marketplace can install and uninstall composer packages

Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. Impact A low-privileged user of the platform can install malicious code to obtain higher privilege...

GHSA-3FQ7-C5M8-G86X Mautic user without privileged access to the Marketplace can install and uninstall composer packages

Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. Impact A low-privileged user of the platform can install malicious code to obtain higher privilege...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the improper privilege management for in the upload process. An attacker can install or remove arbitrary packages and potentially execute malicious code by leveraging insufficient access controls in the...

EUVD-2025-20395

Malicious code in bioql PyPI...

CVE-2025-7346

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages...

pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages

Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Thi...

Improper Preservation of Permissions

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Improper Preservation of Permissions via the host header. An attacker can gain unauthorized access and create arbitrary packages by sending crafted requests...

CVE-2025-7346

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages...

CVE-2025-7346

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages...

CVE-2025-7346

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages...

CVE-2025-7346

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages...

PT-2025-28355 · Pyload +1 · Pyload +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: An unauthenticated attacker can bypass the localhost restrictions imposed by the application, allowing them to create arbitrary packages. Recommendations: At the moment, there is no...

GHSA-RPG2-JVHP-H354 Yggdrasil Vulnerable to Local Privilege Escalation

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks,...