SUSE SLES15 Security Update : python (SUSE-SU-2026:2387-1)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2387-1 advisory. This update for python fixes the following issues - CVE-2026-1703: files may be extracted outside the installation directory when installing an...

Fedora 44 : composer (2026-9b34a78e81)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9b34a78e81 advisory. Version 2.10.1 - 2026-06-04 Security: Fixed shell escaping when opening an editor 12903 Security: Verify backup phar signature before restoring it when using...

Security update for python

This update for python fixes the following issues CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. CVE-2026-3219: pip doesn't reject concatenated ZIP bsc1262429. CVE-2026-4786: Incomplete...

SUSE-SU-2026:2387-1 Security update for python

This update for python fixes the following issues - CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives bsc1257599. - CVE-2026-3219: pip doesn't reject concatenated ZIP bsc1262429. - CVE-2026-4786: Incomplete...

CVE-2026-30269

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/username. The role field is accepted by the update model without a manageusers permission check for self-updates, enabling privileg...

CVE-2026-31014

Dovestones Softwares AD Self Update 4.0.0.5 is vulnerable to Cross Site Request Forgery CSRF. The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally...

CVE-2026-9089

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5...

Fedora 43 : pie (2026-b2fe14ec86)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-b2fe14ec86 advisory. Version 1.4.5 This release contains vulnerability fixes for the following security advisories: - GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion...

Fedora 44 : pie (2026-e5d5fc359d)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-e5d5fc359d advisory. Version 1.4.5 This release contains vulnerability fixes for the following security advisories: - GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion...

OPENSUSE-SU-2026:20880-1 Security update for python-pip

This update for python-pip fixes the following issues: - CVE-2026-3219: concatenated tar and ZIP files are handled as ZIP files, resulting in possibly obfuscated malicious code bsc1262429. - CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation,...

SUSE-SU-2026:22018-1 Security update for python-pip

This update for python-pip fixes the following issues: - CVE-2026-3219: concatenated tar and ZIP files are handled as ZIP files, resulting in possibly obfuscated malicious code bsc1262429. - CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation,...

Amazon Linux 2 : python-pip, --advisory ALAS2-2026-3317 (ALAS-2026-3317)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3317 advisory. pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred ...

Important: python-pip

Issue Overview: pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update...

MAL-2026-4597 Malicious code in kurumi-fca (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f90450e6ca1502bf6287d945c37c4c64f59e624a4269ab8e07600a9db5e755d0 kurumi-fca is a Facebook Chat API library whose advertised purpose is to listen to Messenger events for the caller. Two undisclosed behaviors make it...

CVE-2026-9089

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5...

Malicious code in utils-mf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d338ea2a5c454a5a0352e6fb29bd940027bc4b8c349649f6356c4fc4f396272 Package metadata advertises 'utility mf' with main 'index.js', but the shipped main is a 15.7MB obfuscator.io-style blob preceded by 8MB of...

MAL-2026-4699 Malicious code in utils-mf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d338ea2a5c454a5a0352e6fb29bd940027bc4b8c349649f6356c4fc4f396272 Package metadata advertises 'utility mf' with main 'index.js', but the shipped main is a 15.7MB obfuscator.io-style blob preceded by 8MB of...

CVE-2026-9089

The CVE-2026-9089 issue affects the ConnectWise Automate Agent. According to connected sources, the agent does not fully verify the authenticity of components during plugin loading and self-update operations. The underlying impact is risk of tampered or unverified components being loaded during e...

CVE-2026-9089

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5...

EUVD-2026-31290

The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5...