EUVD-2026-36290

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisf...

PT-2026-45046

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct...

Malicious code in @amswf/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...

OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval

Impact OpenClaw node.pair.approve placed in operator.write scope instead of operator.pairing allows unprivileged pairing approval. The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes. OpenClaw is a user-controlled...

CVE-2026-27943

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam eyemag view loads data by formid or equivalent without verifying that the form belongs to the current user’s patient/encounter context. An...

CVE-2026-27943

OpenEMR (versions up to 8.0.0) contains an access control flaw in the eye_exam (eye_mag) view: data is loaded by form_id without verifying the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying a different for...

EUVD-2026-8812

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam eyemag view loads data by formid or equivalent without verifying that the form belongs to the current user’s patient/encounter context. An...

PT-2026-22100

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam eye mag view loads data by form id or equivalent without verifying that the form belongs to the current user’s patient/encounter context. An...

Linux Distros Unpatched Vulnerability : CVE-2023-3401

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 befo...

CVE-2023-22735

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users could upload files with arbitrary Content-Type which would be served from the Zulip hostname with Content-Disposition: inline and no Content-Security-Policy header, allowin...

CVE-2023-42807

Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the main branch. Users won't face this issue if they are using the latest main branch of the app...

CVE-2022-39270

DiscoTOC is a Discourse theme component that generates a table of contents for topics. Users that can create topics in TOC-enabled categories and have sufficient trust level - configured in component's settings are able to inject arbitrary HTML on that topic's page. The issue has been fixed on th...

Malicious code in main-branch-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8be08fa3cd592a6d15f6524eac04c1935a0fa11215c4143121b34e3a0de18e15 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1524 Malicious code in main-branch-check (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8be08fa3cd592a6d15f6524eac04c1935a0fa11215c4143121b34e3a0de18e15 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2025-3194 · Zulip · Zulip Server

Name of the Vulnerable Software and Affected Versions: Zulip Server versions 7.0 through 9.3 Description: The issue concerns an information disclosure attack where an unauthenticated user can determine if an email address is in use by a user on a Zulip server hosting multiple organizations. There...

GHSA-9JMP-J63G-8X6M Withdrawn Advisory: Lunary information disclosure vulnerability

Withdrawn Advisory This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory. The underlying vulnerability report is still valid, but it doesn't affect...

CVE-2024-6087 Improper Access Control in lunary-ai/lunary

An improper access control vulnerability exists in lunary-ai/lunary at the latest commit a761d83 on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target user...

PT-2024-19003 · Discourse · Discourse Calendar

Name of the Vulnerable Software and Affected Versions: discourse-calendar affected versions not specified Description: The discourse-calendar plugin has a limit on region value length that is too generous, allowing a malicious actor to cause a Discourse instance to use excessive bandwidth and dis...

SUSE CVE-2023-42816

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch...

SUSE CVE-2023-42815

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch...