Malicious Package

Overview converse-rn-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview debug-glitz is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

Oracle Linux 9 : osbuild-composer (ELSA-2026-1381)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-1381 advisory. 149-3.0.1 - Add missing dependency over dracut-config-rescue for image-installer ORABUG: 38587453 - Switch to UEKR8 repositories for OL9.6 Orabug: 37962207 - Ad...

osbuild-composer security update

149-3.0.1 - Add missing dependency over dracut-config-rescue for image-installer ORABUG: 38587453 - Switch to UEKR8 repositories for OL9.6 Orabug: 37962207 - Add support to create OpenScap images JIRA: OLDIS-35301 - Simplify repository names JIRA: OLDIS-35893 - Refactor patches to fix some naming...

GitHub: Add labels to arbitrary issues/prs & compromise github actions label checks

A vulnerability was identified that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's...

CVE-2026-24910

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

CVE-2026-20800

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications...

Sensitive Information Disclosure

@anthropic-ai/claude-code is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper trust validation during the project-load flow, which allows an attacker to supply a malicious repository configuration that redirects API requests to an attacker-controlled endpoint a...

Malicious Package

Overview @santandergroup-uk/edgehome-components is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...

Malicious Package

Overview stylus.js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the repoName parameter, when the TAP 4 map file content is externally controlled. An attacker can write files outside the intended cache base directory by supplying a crafted value containing directory traversal...

CVE-2026-24686 go-tuf Path Traversal in TAP 4 Multirepo Client Allows Arbitrary File Write via Malicious Repository Names

go-tuf is a Go implementation of The Update Framework TUF. go-tuf's TAP 4 Multirepo Client uses the map file repository name string repoName as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application...

EUVD-2026-4837

go-tuf is a Go implementation of The Update Framework TUF. go-tuf's TAP 4 Multirepo Client uses the map file repository name string repoName as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application...

CVE-2026-24686

The CVE affects go-tuf (The Update Framework for Go), specifically the TAP 4 Multirepo Client. A map-file repository name (repoName) is used as a filesystem path component when selecting the LocalMetadataDir cache. If an untrusted map file is provided, an attacker can supply a repoName containing...

CVE-2026-24480 QGIS had validated RCE and Repository Takeover via GitHub Actions

QGIS is a free, open source, cross platform geographical information system GIS The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it...

CVE-2026-24480

CVE-2026-24480 affects QGIS’ GitHub Actions workflow named “pre-commit checks.” Before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, the workflow used pull_request_target and checked out/executed untrusted PR code in a privileged context, allowing potential remote code execution and repository...

CVE-2026-24480 QGIS had validated RCE and Repository Takeover via GitHub Actions

QGIS is a free, open source, cross platform geographical information system GIS The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it...

QGIS security vulnerabilities

QGIS is an open-source geographic information system developed by QGIS. QGIS has a security vulnerability that stems from the GitHub Actions workflow using a pullrequesttarget trigger and executing untrusted pull requests in privileged environments. This can lead to remote code execution and...

Go-TUF path traversal vulnerability

go-tuf is a framework developed by The Update Framework for protecting software update systems. Versions of go-tuf prior to 2.4.1 contained a path traversal vulnerability. This vulnerability stemmed from the use of repository name strings as file system path components, allowing for path traversa...

Linux Distros Unpatched Vulnerability : CVE-2026-24686

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-tuf is a Go implementation of The Update Framework TUF. go-tuf's TAP 4 Multirepo Client uses the map file repository name string repoName as a filesystem pat...