CVE-2026-39823 vulnerabilities

Vulnerabilities for packages: kubevela, tempo, terraform-provider-acme, cloud-provider-azure, flux, flyte, secrets-store-csi-driver, redpanda, aws-flb-kinesis, splunk-otel-collector, aactl, libnvidia-container, keda, secrets-store-csi-driver-provider-azure, terraform-provider-tls, gitaly, sops, k...

GHSA-QF3Q-3H68-MMH2 vulnerabilities

Vulnerabilities for packages: kubevela, tempo, minify, kubeflow, cloud-provider-azure, flux, flyte, controller-gen, terraform-provider-acme, victoriametrics, secrets-store-csi-driver, redpanda, influx, act, container-object-storage-interface, aws-flb-kinesis, gosu, splunk-otel-collector, aactl,...

MAL-2026-248 Malicious code in dify-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a40038bb1837e98127f2e267d1932d1eeb641c93e855c50af9aa25002e28c76b Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious Package

Overview starling-api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2025-191126 Malicious code in luno-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2620f6e7e546cf45578383002edf88f0d14cfff7c3b3fbdadff49d591e9a67d The package luno-api was found to contain malicious code. Source: ghsa-malware b14565c7974772eb7c5d608e000f39017115adb0304131b6d1b03f7402fa9d1f Any...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to insufficient peer verification logic in the verifyPeerCert function. An attacker can impersonate privileged API components and execute unauthorized operations by compromising a single instance and...

CVE-2025-59037

CVE-2025-59037 covers DuckDB npm packages where four Node.js packages were briefly compromised with malware: @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected]. The malicious versions attempted to interfere with cryptocurrency transactions. DuckDB de...

MAL-2025-47125 Malicious code in ome-api (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 813109d74c2326a2f6ec2d8189b807fcde2654e778172aef8555defeb27fc4a8 Any computer that has this package installed or running should be considered...

Malicious code in mall-api (npm)

The package mall-api was found to contain malicious code...

Malicious code in cm-api (npm)

The package cm-api was found to contain malicious code...

MAL-2025-25810 Malicious code in mall-api (npm)

The package mall-api was found to contain malicious code...

Malicious code in meta_api (npm)

The package metaapi was found to contain malicious code...

MAL-2025-6125 Malicious code in slf4j-api (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f7ccd4cc3b9a566cde097a25dda1efca4dc2bc70d632e77b01f3e21128e03356 Any computer that has this package installed or running should be considered...

MAL-2025-4835 Malicious code in iceberg-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80881b9c9051ea4744eeccd8038c44bb7bf6fd18b1535d8319cdf556cca76282 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4581 Malicious code in syf-api (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a36b5dfd63736b61215e259a345ecf4691a6553267af52ff5485d1e5a8889c81 Any computer that has this package installed or running should be considered...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

CVE-2025-4759 affects the lockfile-lint-api package. The root cause is an incorrect behavior order in URL validation (the resolved attribute) that can be bypassed by extending the package name, allowing installation of other npm packages beyond the intended one. Reported impact includes potential...

PT-2025-21607 · Npm · Lockfile-Lint-Api

Name of the Vulnerable Software and Affected Versions: lockfile-lint-api versions prior to 5.9.2 Description: The issue concerns incorrect behavior order, specifically early validation, via the resolved attribute of the package URL validation. This can be bypassed by extending the package name,...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the Session API. An attacker can authenticate on behalf of the user by repeatedly using idp intents to retrieve the id and token from the application's URI. Remediation Upgrade...