Linux Distros Unpatched Vulnerability : CVE-2025-48866

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of servic...

Linux Distros Unpatched Vulnerability : CVE-2024-32004

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in su...

CVE-2025-55285

The CVE-2025-55285 issue affects the Backstage scaffolder-backend plugin. Before version 2.1.1, the fetch:template action could duplicate the input log path, causing some secrets passed via the {{ secrets }} bag to be written to logs instead of being redacted. Affected product: @backstage/plugin-...

Linux Distros Unpatched Vulnerability : CVE-2024-23652

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfi...

Linux Distros Unpatched Vulnerability : CVE-2025-21641

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: mptcp: sysctl: blackhole timeout: avoid using current-nsproxy As mentioned in the previous...

MAL-2025-8771 Malicious code in @malware-test-lopes-ekkas-felon-avoid/test-mlw3-lopes-ekkas-felon-avoid (npm)

The package @malware-test-lopes-ekkas-felon-avoid/test-mlw3-lopes-ekkas-felon-avoid was found to contain malicious code...

Malicious Package

Overview github.com/stripedconsu/linker is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate packages. Upon...

Malicious Package

Overview redux-ace is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview node-smsk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview naya-clone is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview nouku-search is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview nvlore-hsc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview naya-flore is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview @veryflore/disc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this...

Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where...

CVE-2025-55199 Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory OOM termination. This issue has been resolved in Helm 3.18.5. A workaround involves...

CVE-2025-55158

A double-free vulnerability was found in Vim. This flaw allows an attacker to trick a user into processing a specially crafted file to trigger the double-free, causing the application to crash. Mitigation Do not run untrusted vim scripts as it's not recommended...

CVE-2025-55157

A use-after-free vulnerability was found in Vim. This flaw allows an attacker who can trick a user into processing a specially crafted file to trigger the use-after-free, causing the application to crash. Mitigation Do not run untrusted Vim scripts as it's not recommended...

CVE-2025-54800 Hydra persistent XSS in build metrics

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...

CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...