`pqcrypto-hqc` is unmaintained: upstream PQClean project being archived

This crate provides Rust bindings to the HQC key encapsulation mechanism via C implementations from PQClean. The PQClean project is being archived in or after July 2026 see PQClean/PQClean604, after which no further security patches or bug fixes will be applied to the upstream implementations. As...

CVE-2026-5128

A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In...

CVE-2026-5128

...

CVE-2026-25904

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix...

CVE-2026-25905

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

CVE-2026-25904

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix...

CVE-2026-25905 Lack of isolation in mcp-run-python leads to MCP server takeover

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

CVE-2026-25904

The CVE-2026-25904 entry concerns Pydantic-AI MCP Run Python tool configuring the Deno sandbox in a way that allows the underlying Python code to access the host’s localhost interface, enabling SSRF. Affected component: the Deno sandbox configuration used by mcp-run-python (Pydantic-AI MCP Run Py...

PT-2026-7089

The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix...

PT-2026-7090

Name of the Vulnerable Software and Affected Versions MCP affected versions not specified Description The Python code executed by the 'runPython' or 'runPythonAsync' functions lacks isolation from other JavaScript code. This allows Python code to utilize Pyodide APIs to alter the JavaScript...

GHSA-W3J8-9P3J-3WJX Pagekit CMS has an Insecure Direct Object Reference (IDOR) in its User Role component

An Insecure Direct Object Reference IDOR in Pagekit CMS v1.0.18 allows attackers to escalate privileges. The project was archived as of December 1, 2023...

EUVD-2022-28531

Malicious code in bioql PyPI...

EUVD-2022-28530

Malicious code in bioql PyPI...

serde_yml crate is unsound and unmaintained

Using serdeyml::ser::Serializer.emitter can cause a segmentation fault, which is unsound. The GitHub project for serdeyml was archived after unsoundness issues were raised. If you rely on this crate, it is highly recommended switching to a maintained alternative. Recommended alternatives -...

serde_yml crate is unsound and unmaintained

Using serdeyml::ser::Serializer.emitter can cause a segmentation fault, which is unsound. The GitHub project for serdeyml was archived after unsoundness issues were raised. If you rely on this crate, it is highly recommended switching to a maintained alternative. Recommended alternatives -...

`libyml::string::yaml_string_extend` is unsound and unmaintained

In version 0.0.4, libyml::string::yamlstringextend was revised resulting in undefined behaviour, which is unsound. The GitHub project for libyml was archived after unsoundness issues were raised. If you rely on this crate, it is highly recommended switching to a maintained alternative. Recommende...

RUSTSEC-2025-0025 rustc-serialize is unmaintained

rustc-serialize will no longer be maintained as declared by the developer. By fuzzing the package, we can identify multiple vulnerabilities. The project has been archived and cannot submit issues. The developer has recommended using the serde crate instead...

PT-2025-19690 · Crates.Io · Rustc-Serialize

rustc-serialize will no longer be maintained as declared by the developer. By fuzzing the package, we can identify multiple vulnerabilities. The project has been archived and cannot submit issues. The developer has recommended using the serde crate instead...

gtk-layer-shell GTK3 bindings - no longer maintained

The gtk-layer-shell GTK3 bindings are no longer maintained. The maintainers have archived the repository, and added a note to the crate description and its README.md that the crates are no longer maintained. Please take a look at gtk4-layer-shell instead...

PT-2024-40928 · Hwloc · Hwloc

Name of the Vulnerable Software and Affected Versions: hwloc affected versions not specified Description: The hwloc project has been archived by its developer and will no longer be maintained. This decision was made without any issues being reported. Recommendations: At the moment, there is no...