756 matches found
Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle o...
PT-2026-57441
Name of the Vulnerable Software and Affected Versions Parse Server versions 9.0.0 through 9.10.0-alpha.1 Parse Server versions 8.x through 8.6.83 Description A stored cross-site scripting XSS issue exists when the software fails to recognize an uploaded file's extension via the mime package,...
SUSE-RU-2026:2816-1 Recommended update for python-aioresponses, python-google-api-core, python-google-api-python-client, python-google-auth, python-google-auth-httplib2, python-google-cloud-appengine-logging, python-google-cloud-artifact-registry, python-google-cloud-audit-log, python-google-cloud-build, python-google-cloud-compute, python-google-cloud-core, python-google-cloud-dns, python-google-cloud-domains, python-google-cloud-iam, python-google-cloud-kms, python-google-cloud-kms-inventory, python-google-cloud-logging, python-google-cloud-run, python-google-cloud-secret-manager, python-google-cloud-service-directory, python-google-cloud-spanner, python-google-cloud-storage, python-google-cloud-vpc-access, python-google-crc32c, python-google-resumable-media, python-googleapis-common-protos, python-grpc-google-iam-v1, python-grpc-interceptor, python-mmh3, python-mypy, python-opentelemetry-resourcedetector-gcp, python-poetry-core, python-proto-plus, python-pytest-asyncio, python-syrupy, python-typed-ast, python-uritemplate, python-dnspython, python-trio, python-websocket-client
This update for python-aioresponses, python-google-api-core, python-google-api-python-client, python-google-auth, python-google-auth-httplib2, python-google-cloud-appengine-logging, python-google-cloud-artifact-registry, python-google-cloud-audit-log, python-google-cloud-build,...
CVE-2026-55542
Snipe-IT prior to version 8.6.1 exposes a missing authorization check when retrieving S3 signature images. In S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the authorize() call used by the local-fi...
Malicious code in higherlogic-ocfe (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f73e9c228fc5188d602b213f2c6e7f88d6acbb4a9381667b7c33e4cb825aedf2 Package [email protected] is a dependency-confusion lure targeting the Higher Logic vendor namespace. The published index.js is an empty...
Malicious code in babel-eslint-parser-legacy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85a6f04cbf0697b6ae409fb9e5ad0e25812dac6a2f43bd95722f1903ee2f71f7 Package name babel-eslint-parser-legacy is a one-suffix confusion against the legitimate babel-eslint-parser. The package's own main is an empty stub...
Malicious code in ag-charts-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29c50b5a47dde18daf83760926662df3b9890de074cc00938de04892ac79a4d9 [email protected] is a hollow package empty index.js, no scripts, no documented functionality whose sole effect on installers is resolving its...
Malicious code in visa-cli-tools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0e8f566e285de1eec2c3cae07b0faaa8828080a4e1fed7e76e1fe43dfa571ec Package presents as an internal-looking corporate tooling name 'visa-cli-tools' published at an inflated version 99.9.1 — the canonical...
CVE-2026-55418 FastGPT: S3 presign/read handlers do not bind the object key to the caller's team (cross-team file disclosure)
FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object key...
CVE-2026-49297
Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket...
CVE-2026-49297
Apache Airflow's Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator joined GCS object names returned by the bucket listing API directly to a destination filesystem path without normalisation or containment check. A user with write access to the source GCS bucket...
[SECURITY] Fedora 43 Update: rclone-1.74.3-1.fc43
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...
[SECURITY] Fedora 44 Update: rclone-1.74.3-1.fc44
"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...
BIT-GHOST-2026-53948 Ghost: File Upload Content-Type Spoofing
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On...
Malicious code in ryan-pdf-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3d966501b5f533318c26b54887cd29b3cd6c9495035a0f74519ba349357e3eb [email protected] is an empty stub package index.js exports whose sole purpose is to deliver an off-registry payload at install time. Its package.js...
CVE-2026-50137
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id app... and an S3-source datasource id ds... can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoin...
CVE-2026-40012
The vulnerability CVE-2026-40012 affects configurations with ECS enabled, where ECS zero-scoped answers are stored in the packet cache instead of being properly restricted, potentially leaking to clients. The issue has a network-based attack surface with low confidentiality impact (CVSS v3.1: 5.3...
CVE-2026-40012 Information about ECS zero scoped answers might leak to clients that use a specific ECS
ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;...
CVE-2026-53948 Ghost: File Upload Content-Type Spoofing
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On...
CVE-2026-48520 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" or "Public Flows" in code contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of...