MAL-2026-5804 Malicious code in flow-lending-sdk (npm)

Continuation of the flow/surf-lending DeFi cred-exfil campaign c1655. Sentinel-9.9.9 depconf squat; preinstall node index.js || true exfils env secrets mnemonic/private-key/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2. Companions bodega-sdk/flowdefi verified identical...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the tpmdevrelease function not properly releasing the authentication session using kfreesensitive,...

PYSEC-0000-CVE-2026-42360

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking e.g. nested password / token / secret / apikey keys inside a JSON template structure to be bypassed when the rendered field exceeded core maxtemplatedfieldlength: Airflow stringified the structure befor...

PYSEC-2026-172

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking e.g. nested password / token / secret / apikey keys inside a JSON template structure to be bypassed when the rendered field exceeded core maxtemplatedfieldlength: Airflow stringified the structure befor...

Cleartext Storage of Sensitive Information

Overview sagemaker is an Open source library for training and deploying models on Amazon SageMaker. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the ModelBuilder/Serve component. An attacker can extract sensitive HMAC signing keys by accessing...

CVE-2025-62619

Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality...

CVE-2025-62625

Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality...

CVE-2025-62619

Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality...

CVE-2025-62619

Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality...

CVE-2025-62619

Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality...

CVE-2025-62625

CVE-2025-62625 concerns improper privilege management in the KVM key download component, enabling token swapping to obtain sensitive keys and potentially access privileged resources. The NVD/CVE records describe impact to confidentiality with CVSS v4.0 base metrics: Attack Vector NETWORK, Attack ...

CVE-2025-62625

Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality...

CVE-2025-62625

Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality...

CVE-2025-62625

Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality...

AMD Processors 访问控制错误漏洞

AMD Processors are a series of processors developed by American semiconductor company AMD. AMD Processors have a vulnerability related to access control, which stems from the lack of authentication at the key download endpoint. This allows unauthorized attackers to retrieve sensitive keys using a...

PT-2026-40939

Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality...

AMD Device Management Portal Key Download

CVE Details Refer to Glossary for explanation of terms CVE| CVE Description| CVSS Score ---|---|--- CVE-2025-62619| Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to...

CVE-2026-43377

A flaw was found in ksmbd in the Linux kernel. When KSMBDDEBUGAUTH logging is enabled, sensitive session, signing, encryption, and decryption key bytes are logged. This can lead to information disclosure, potentially exposing user credentials...

CVE-2026-6830 Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch

nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...

Malicious code in @than-xs/libsignal-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c613873d188e4ec1b5e30520478eb5e162c8f2b10cad3dd50e0973d9ca925034 The package @than-xs/libsignal-node was found to contain malicious code. Source: ghsa-malware...