CVE-2025-55285

The CVE-2025-55285 issue affects the Backstage scaffolder-backend plugin. Before version 2.1.1, the fetch:template action could duplicate the input log path, causing some secrets passed via the {{ secrets }} bag to be written to logs instead of being redacted. Affected product: @backstage/plugin-...

Linux Distros Unpatched Vulnerability : CVE-2025-21641

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: mptcp: sysctl: blackhole timeout: avoid using current-nsproxy As mentioned in the previous...

Linux Distros Unpatched Vulnerability : CVE-2024-23652

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfi...

MAL-2025-8771 Malicious code in @malware-test-lopes-ekkas-felon-avoid/test-mlw3-lopes-ekkas-felon-avoid (npm)

The package @malware-test-lopes-ekkas-felon-avoid/test-mlw3-lopes-ekkas-felon-avoid was found to contain malicious code...

Malicious Package

Overview github.com/stripedconsu/linker is a malicious package. This package contains malicious code designed to provide attackers with on-demand remote access to a developer's system or CI/CD environment. The package and some other variants use typosquatting to imitate legitimate packages. Upon...

Malicious Package

Overview redux-ace is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview @veryflore/disc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this...

Malicious Package

Overview naya-flore is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview naya-clone is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview node-smsk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview nvlore-hsc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Malicious Package

Overview nouku-search is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate legitimate WhatsApp libraries, there is no connection between that organization and this package...

Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where...

CVE-2025-55199 Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory OOM termination. This issue has been resolved in Helm 3.18.5. A workaround involves...

CVE-2025-55158

A double-free vulnerability was found in Vim. This flaw allows an attacker to trick a user into processing a specially crafted file to trigger the double-free, causing the application to crash. Mitigation Do not run untrusted vim scripts as it's not recommended...

CVE-2025-55157

A use-after-free vulnerability was found in Vim. This flaw allows an attacker who can trick a user into processing a specially crafted file to trigger the use-after-free, causing the application to crash. Mitigation Do not run untrusted Vim scripts as it's not recommended...

CVE-2025-54800

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...

CVE-2025-54800 Hydra persistent XSS in build metrics

Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...

CVE-2025-55159

slab is a pre-allocated storage for a uniform data type. In version 0.4.10, the getdisjointmut method incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. This has...

CVE-2025-55159

CVE-2025-55159 concerns the slab crate (Rust) where in version 0.4.10 get_disjoint_mut incorrectly validated indices against the slab length instead of capacity, enabling access to uninitialized memory. This could cause undefined behavior or crashes. The issue has been fixed in slab 0.4.11. A pra...