@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-693 Protection Mechanism Failure Summary Pulumi gives every cloud resource a structured URN that includes the resource's type chain hulumi:baseline:aws:SecureBucket$aws:s3/bucketV2:BucketV2 and the logical name the develope...

GHSA-RHGJ-6G2C-FRMM @hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-693 Protection Mechanism Failure Summary Pulumi gives every cloud resource a structured URN that includes the resource's type chain hulumi:baseline:aws:SecureBucket$aws:s3/bucketV2:BucketV2 and the logical name the develope...

PT-2026-48479

Affected: @hulumi/baseline 1.4.0 — Fixed in: 1.4.0 — Severity: Medium — CWE-693 Protection Mechanism Failure Summary AccountFoundation can either create AWS detective services GuardDuty for threat detection, Security Hub for compliance dashboards or reuse pre-existing ones via opt-in flags. The...

Malicious code in pulumi-vcd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08bbc8be2cfa9a85473b0287e3c327b16c3f9e15886869bd9e2188a323448fd9 Package pulumivcd is published with metadata mimicking an official Pulumi SDK Homepage https://www.pulumi.com, tfgen-style auto-generated bindings bu...

MAL-2026-4763 Malicious code in pulumi-vcd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08bbc8be2cfa9a85473b0287e3c327b16c3f9e15886869bd9e2188a323448fd9 Package pulumivcd is published with metadata mimicking an official Pulumi SDK Homepage https://www.pulumi.com, tfgen-style auto-generated bindings bu...

GHSA-Q6X5-8V7M-XCRF vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-JVWF-75H9-CWGG vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-75PX-5XX7-5XC7 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44293 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44292 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44290 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-66FF-XGX4-VCHM vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44294 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44291 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44289 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-FX83-V9X8-X52W vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-685M-2W69-288Q vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-2PR8-PHX7-X9H3 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

CVE-2026-44288 vulnerabilities

Vulnerabilities for packages: pulumi, renovate, kubeflow-centraldashboard, vitess...

GHSA-389R-GV7P-R3RP vulnerabilities

Vulnerabilities for packages: grafana, external-secrets-operator, bom, grype, act, gitlab-runner, flux-source-controller, rancher-fleet, kubevela, steampipe, kots, pulumi-language-yaml, xeol, wolfictl, gitaly, gptscript, k9s, witness, argo-workflows, nuclei, guac, cerbos, pulumi-language-java,...