GO-2026-4395 terraform-provider-proxmox has insecure sudo recommendation in the documentation in github.com/bpg/terraform-provider-proxmox

terraform-provider-proxmox has insecure sudo recommendation in the documentation in github.com/bpg/terraform-provider-proxmox...

PT-2026-6530

EVE's Debug Functions Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve...

PT-2026-6521

OpenList has Insecure TLS Default Configuration in github.com/OpenListTeam/OpenList...

📄 Nexus Repository Manager 3.53.0-01 File Disclosure / Traversal

A critical path traversal vulnerability exists in Sonatype Nexus Repository Manager 3 that allows unauthenticated attackers to read arbitrary files from the server filesystem through crafted URL paths. This is a proof of concept for an issue discovered in 2024...

CVE-2026-25140

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in...

CVE-2026-25121

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatte...

CVE-2026-25140

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in...

CVE-2026-25140

The CVE-2026-25140 issue affects chainguard.dev/apko: ExpandApk() expands .apk streams without decompression limits, enabling an attacker-controlled APK repository to inflate a small, highly-compressed archive into a large tar stream. This unbounded expansion can exhaust disk space and CPU on the...

Malicious Package

Overview confluence-analytics-support is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

apko affected by potential unbounded resource consumption in expandapk.ExpandApk on attacker-controlled .apk streams

An attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small,...

osbuild-composer security update

149-4.0.1 - Add missing dependency over dracut-config-rescue for image-installer Orabug: 38587453 - Add OL10 support - Update repository URLs for baseos, appstream and UERK - Fix the label for UEKR repository - Simplify repository names JIRA: OLDIS-35893 - Ensure build on latest golang:...

Improper Access Control.

Weblate is vulnerable to improper access control. The vulnerability is due to insufficient validation of webhook payloads, which allows an attacker to craft malicious webhook requests and trigger unauthorized repository updates across multiple repositories...

pearweb SQL注入漏洞

PearWeb is a PHP extension and application repository developed by PEAR. Versions of PearWeb prior to 1.33.0 contained a SQL injection vulnerability. This vulnerability occurred due to the use of the user::maintains function, which provided role filters as arrays and inserted IN clauses,...

PT-2026-6511

Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability in github.com/fleetdm/fleet...

pearweb SQL注入漏洞

PearWeb is a PHP extension and application repository developed by PEAR. Versions of PearWeb prior to 1.33.0 contained a SQL injection vulnerability. This vulnerability stemmed from the category deletion process, where an SQL injection could be exploited by attackers through the use of category I...

GO-2026-4388 Juju has broken CMR authorization in github.com/juju/juju

Juju has broken CMR authorization in github.com/juju/juju...

GO-2026-4364 Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea

Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea...

GO-2026-4368 Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea

Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea...

GO-2026-4363 Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea

Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea...

GO-2026-4377 Path traversal in TAP 4 multirepo client allows arbitrary file write via repo names in github.com/theupdateframework/go-tuf

Path traversal in TAP 4 multirepo client allows arbitrary file write via repo names in github.com/theupdateframework/go-tuf...