932 matches found
EUVD-2026-30423
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler...
Improper Validation of Integrity Check Value
Overview sagemaker-serve is a SageMaker Serve package for model serving and deployment Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the Triton inference handler. An attacker can execute arbitrary code with the SageMaker execution role's IAM...
GHSA-RQ6V-X3J8-7QGF Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler
Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing...
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler
Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing...
Cleartext Storage of Sensitive Information
Overview sagemaker-serve is a SageMaker Serve package for model serving and deployment Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the ModelBuilder/Serve component. An attacker can extract sensitive HMAC signing keys by accessing the SageMaker...
RLSA-2025:9844 Moderate: osbuild-composer security update
A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fixes: net/http:...
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Summary Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth 0.1.2 through 0.1.19. The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Securit...
GHSA-6XWP-CP5H-Q856 Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Summary Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of @beproduct/nestjs-auth 0.1.2 through 0.1.19. The packages contained payloads from the Mini Shai-Hulud npm supply-chain worm campaign described by Aikido Securit...
CVE-2026-45243
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...
Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud
In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing server-side artifacts and victim-side data...
PT-2026-42047
Name of the Vulnerable Software and Affected Versions @beproduct/nestjs-auth versions 0.1.2 through 0.1.19 Description An attacker used a compromised npm publish token to distribute malicious versions of the package containing payloads from the Mini Shai-Hulud npm supply-chain worm campaign. The...
Creation of Temporary File With Insecure Permissions
Overview Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the getorcreatenfstmpdir and createmodeldownloadingtmpdir functions. An attacker can modify model artifacts by exploiting these permissions, potentially leading to arbitrary code...
GHSA-F2M9-WCF4-CWWX MLFlow Creates a Temporary File With Insecure Permissions
In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...
GHSA-5624-2PMV-JX46 Summarize contains a missing authorization vulnerability
Summarize prior to 0.15.0 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...
Summarize contains a missing authorization vulnerability
Summarize prior to 0.15.0 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...
CVE-2026-4137
In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...
CVE-2026-45243
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...
CVE-2026-45243
CVE-2026-45243 affects the Summarize browser extension prior to v0.15.1. The root cause is a missing authorization in the content script bridge (window.postMessage), allowing malicious pages to perform unauthorized operations on automation artifacts within the affected tab by spoofing sender iden...
CVE-2026-45243 Summarize < 0.15.1 Browser Extension Missing Authorization via Content Script
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...
EUVD-2026-30794
Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...