MAL-2026-5525 Malicious code in @solana-labs/web3.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4 Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall node...

BIT-ARGO-CD-2026-42880 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...

CVE-2026-42880 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...

CVE-2026-42880

CVE-2026-42880 (Argo CD) : A missing authorization/data-masking gap in Argo CD’s ServerSideDiff endpoint allows an attacker with read-only access to extract plaintext Secret data from etcd via the Kubernetes API server’s Server-Side Apply dry-run. Affected versions are 3.2.0–3.2.10 and 3.3.0–3.3....

EUVD-2026-28469

ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction...

Important: Red Hat Bug Fix Advisory: Red Hat OpenShift GitOps v1.20.3 bug fix and enhancement update

Red Hat OpenShift GitOps v1.20.3 bug fix and enhancement update An update is now available for Red Hat OpenShift GitOps. Bug Fixes and Enhancements: GITOPS-9699 CVE-2026-42880 Kubernetes Secret Extraction via ArgoCD ServerSideDiff gitops-1.20...

Exploit for Missing Encryption of Sensitive Data in Nginxui Nginx_Ui

CVE-2026-27944 POC: Nginx UI Unauthenticated Backup Download +...

GHSA-JG2J-2W24-54CG Kimai has an Authenticated Server-Side Template Injection (SSTI)

Kimai 2.45.0 - Authenticated Server-Side Template Injection SSTI Vulnerability Summary | Field | Value | |-------|-------| | Title | Authenticated SSTI via Permissive Export Template Sandbox || Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | High Admin with export...

CVE-2024-41121

Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets w...

CVE-2022-27201

Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses externa...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-68665

CVE-2025-68665 (LangChain JS) has a serialization-injection vulnerability in LangChain JS toJSON() and JSON.stringify() paths that fails to escape objects with the internal 'lc' key, causing user-controlled data to be mistaken for LangChain objects during deserialization. Affected: LangChain JS b...

CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...

CVE-2025-68664

CVE-2025-68664 (LangGrinch) is a serialization-injection vulnerability in the LangChain Core Python package. Affected versions prior to 0.3.81 and 1.2.5 fail to escape dictionaries containing the internal lc marker during dumps/dumpd, causing user-controlled data to be treated as legitimate LangC...

CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...

GHSA-R399-636X-V7F6 LangChain serialization injection vulnerability enables secret extraction

Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...

EUVD-2025-204846

LangChain serialization injection vulnerability enables secret extraction...

LangChain serialization injection vulnerability enables secret extraction

Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...

GHSA-C67J-W6G6-Q2CM LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

Summary A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data...