Malicious code in optional-cpu-features (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e On npm install, both the install and postinstall lifecycle scripts run node install.js, which requires lib/sync.js. That file hardcodes BASE =...

openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure.

A flaw was found in OpenSSL. An integer truncation vulnerability in the ASN.1 decoder can occur when processing a crafted DER-encoded ASN.1 structure with a primitive element exceeding 2 gigabytes. A remote attacker could exploit this to cause a heap buffer over-read. This may lead to an...

openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing

A flaw was found in OpenSSL. A signed integer overflow vulnerability exists when sizing the destination buffer for Unicode output. This can lead to a heap buffer overflow, which may result in a crash or potentially allow an attacker to execute arbitrary code. Exploitation requires an application ...

CVE-2026-49214

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to...

CVE-2026-48998

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing U...

dotnet: .NET: Local file tampering via link following vulnerability

A flaw was found in .NET. This vulnerability, related to improper link resolution before file access also known as 'link following', allows an unauthorized local attacker to perform unauthorized tampering. This could lead to integrity compromise of local files...

dotnet: ASP.NET Core: Denial of Service via uncontrolled resource consumption

A flaw was found in ASP.NET Core. This vulnerability allows an unauthorized attacker to exploit uncontrolled resource consumption, leading to a Denial of Service DoS over a network. This means that an attacker can make the affected system unavailable to legitimate users by consuming its resources...

SUSE CVE-2026-48733

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, an infinite loop in the subimage-search operation can happen when using a crafted image. This issue has been patched in versions 6.9.13-49 and 7.1.2-24...

SUSE CVE-2026-49218

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched...

SUSE CVE-2026-53464

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25...

libsndfile: integer overflow in ima_reader_init()

A flaw was found in the libsndfile library. An integer overflow in the IMA ADPCM codec can occur when a specially crafted WAV audio file is processed, specifically with malicious samplesperblock and blocks values. This can lead to a heap-based buffer overflow, causing a crash to the application...

bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone

A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service DoS for legitimate users...

CVE-2026-46705 vulnerabilities

Vulnerabilities for packages: yazi...

CVE-2026-44893 vulnerabilities

Vulnerabilities for packages: celeborn, thingsboard, management-api-for-apache-cassandra-5.0, trino, neo4j, apicurio-registry, keycloak, zipkin, apache-activemq-artemis...

CVE-2026-44894 vulnerabilities

Vulnerabilities for packages: opensearch, trino, spark, apache-nifi...

GHSA-CMM3-54F8-PX4J vulnerabilities

Vulnerabilities for packages: opensearch, trino, spark, apache-nifi...

CVE-2026-46702 vulnerabilities

Vulnerabilities for packages: yazi...

GHSA-WWX6-X28X-8259 vulnerabilities

Vulnerabilities for packages: yazi...

CVE-2026-44892 vulnerabilities

Vulnerabilities for packages: opensearch, trino, spark...

GHSA-C2RX-5R8W-8XR2 vulnerabilities

Vulnerabilities for packages: opensearch, trino, spark...