CVE-2026-41888

A flaw was found in Distribution, a software toolkit used for managing container content. This vulnerability allows a remote attacker to bypass security settings designed to prevent the deletion of container tags. By sending a specific request, an attacker can remove tags from repositories even...

Malicious code in @hanssoft/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f83fb38a98b69c322df069a26c495101aa35682df8f83641b00e2ce40a99bd This package is a fork of the WhatsApp library Baileys whose metadata homepage, repository, author points at the upstream @whiskeysockets/baileys,...

PT-2026-42522

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

PT-2026-42520

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in import mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration value...

PT-2026-42521

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

PT-2026-42523

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

CVE-2026-9149 Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repoaddsolv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could...

Malicious code in supership-scan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0aebde5ba55a72b6d4c6917ccf22db1427d434fed04cecc22dd16844e2d39033 The package advertises itself as a local-only static analyzer README: "Runs locally. Your code never leaves the machine" and "What's never transmitte...

MAL-2026-4675 Malicious code in supership-scan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0aebde5ba55a72b6d4c6917ccf22db1427d434fed04cecc22dd16844e2d39033 The package advertises itself as a local-only static analyzer README: "Runs locally. Your code never leaves the machine" and "What's never transmitte...

CVE-2026-31069

BillaBear all versions prior to Jan 2026 contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf without proper sanitization or identifier quoting. Although...

Malicious code in @tailwind-core/oxide-linux-x64-gnu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00 The package name '@tailwind-core/oxide-linux-x64-gnu' impersonates the legitimate Tailwind CSS v4 oxide engine package...

MAL-2026-4448 Malicious code in @tailwind-core/oxide-linux-x64-gnu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00 The package name '@tailwind-core/oxide-linux-x64-gnu' impersonates the legitimate Tailwind CSS v4 oxide engine package...

GO-2026-4953 goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs

goshs is Missing Write Protection for Parametric Data Values in github.com/patrickhener/goshs...

GHSA-PQWM-Q9PV-PH8R Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

Command Injection

Overview setup-php is a Setup PHP for use with GitHub Actions Affected versions of this package are vulnerable to Command Injection via the process that resolves PHP version from repository-controlled files such as .php-version, composer.lock, or composer.json and incorporates the value into the...

Diffusers: TOCTOU Trust Remote Code Bypass

Background This vulnerability is found in the diffusers package - the transformers-equivalent library for diffusion models. It is found in the DiffusionPipeline.frompretrained flow, which is used to load a pipeline from the HuggingFace Hub. This function has a trustremotecode guard: if the...

Malicious code in @kmmao/happy-coder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c4478b22a21a87a37250e86ef25639330f79b779e5793f642eaf7ddaafd975d4 This package is a near-verbatim fork of the upstream happy-coder/happy-cli references to slopus/happy-cli and happy.engineering are retained througho...

CVE-2026-44933

PluginScript attempts to chroot the plugin to the repoManagerRoot, this root is frequently / the system root in standard configurations or when using --root. If the chroot target is /, it is a no-op, allowing the traversed path to execute host binaries like /bin/bash with root privileges...

Malicious code in svharness (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3aef9a7535c16df930fdb10e5b60773f5ba2e0a8cd102d53a4cc3da122cfd473 When the documented svharness build --baseline or svharness wizard command is run, the tool's default 'tasks' wiki mode scans and bundles the caller'...