CVE-2026-44971

CVE-2026-44971 affects GuardDog (CLI tool to identify malicious PyPI packages). From version 1.0.0 through 2.9.0, GuardDog’s remote project scanning path rewrites attacker-controlled repository URLs via a blind string replacement and then sends the caller’s GitHub credentials with the resulting r...

EUVD-2026-32535

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an...

CVE-2026-44971

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an...

CVE-2026-8042 Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

free5GC 代码问题漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC prior to 4.2.2 contained code vulnerabilities. These vulnerabilities stemmed from the NEF patch handler’s inability to handle UDR calls properly, leading to null pointer dereferencing and...

free5GC 安全漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC prior to 4.2.2 contained security vulnerabilities. These vulnerabilities stemmed from the PCF’s HandleCreateSmPolicyRequest handler, which encountered a null pointer dereferencing when UDR returne...

go-git 路径遍历漏洞

go-git is an open-source, highly scalable Git implementation written entirely in Go. Versions of go-git prior to 5.19.1 and 6.0.0-alpha.4 contained a path traversal vulnerability. This vulnerability stemmed from path validation issues, which could allow malicious data from a specially crafted...

go-git 安全漏洞

go-git is an open-source, highly scalable Git implementation written entirely in Go. Versions of go-git prior to 5.19.1 and 6.0.0-alpha.4 contained security vulnerabilities. These vulnerabilities stemmed from the use of SSH for transmitting commands remotely; the repository path was enclosed in...

GHSA-VGWR-23FQ-PR7G XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requir...

EUVD-2025-203462

Weblate has a Server-Side Request Forgery issue...

GHSA-HFPV-MC5V-P9MM Weblate has a Server-Side Request Forgery issue

Impact The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, the repository URL field is not validated or sanitized, allowing an attacker to supply...

SUSE-SU-2026:21851-1 Security update for docker-stable

This update for docker-stable fixes the following issues - CVE-2026-33747: github.com/moby/buildkit: malicious frontends can craft API messages that cause files to be written outside of the BuildKit state directory bsc1260967. - CVE-2026-33748: github.com/moby/buildkit: insufficient validation of...

MAL-2026-4803 Malicious code in @fhkry/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75b00f1cbf8b88a31654d13fe812fd9201f0b0c92f9ddad31fea59376752a636 This package is a Baileys WhatsApp Web library fork that, on every WebSocket connection, silently performs WhatsApp newsletter actions on the...

Anonymous YARA Rules Are Not Anonymous

YARA rules are widely shared across threat intelligence communities to enable collective defence against malware. This practice implicitly assumes that removing metadata e.g., author fields sufficiently protects the identity of contributing organisations. To assess the validity of this assumption...

Batch Me If You Can: Coverage-Guided RPKI Fuzzing at Scale

The Resource Public Key Infrastructure RPKI has become essential to secure inter-domain routing. Despite its critical role, RPKI software remains largely untested beyond shallow parsing. Existing fuzzers, like AFL++ or libFuzzer, do not work well for RPKI as they assume a single, self-contained...

MAL-2026-4670 Malicious code in skills-detector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 844190b21455d308d6e2b5305ebe92634d80b55817290a84644a1048df0e54b3 On npm install, postinstall.js executes whoami and id via childprocess.execSync, collects os.hostname, os.platform, current working directory, and th...

Malicious code in gehneb (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02811600aba146f33bc2f2a8eeee83d8539bf60398695af9f89b80541bbff971 package.json declares "consolefy": "git+https://github.com/ccndjdjdnnddnd-jpg/sbdrsfhbrfh.git" instead of resolving the legitimate consolefy package...

MAL-2026-4523 Malicious code in claude-channel-imessage (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9751c370c062cb40bccb874f46679ad3ca8ba9d3b49d0d8ba1f924d9582e53a3 On npm install, postinstall.js executes whoami and id, reads os.hostname, os.platform, process.cwd, and the CI, GITHUBREPOSITORY, and NODEENV...

MAL-2026-4631 Malicious code in opentiny-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 70307cffed06951bdb7b961e7846e3b3e0ba660b75ddca0b4fa11366ab94dc6d The package opentiny-react reproduces the source, README, and CHANGELOG of the legitimate @tinymce/tinymce-react integration verbatim under a...

Malicious Package

Overview chai-as-redeploy is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...