67 matches found
sbom-risk-analyzer
SBOM-Risk-Analyzer Exploitability-weighted vulnerability pri...
S3C2 Summit 2025-07: Government Secure Supply Chain Summit
Software supply chains, while providing immense economic and software development value, are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks specifically targeting vulnerable links in critical software supply chains. The...
GHSA-389R-GV7P-R3RP vulnerabilities
Vulnerabilities for packages: kots, apko, bom, cerbos, kyverno, nfpm, nuclei, argocd-image-updater, terragrunt, pulumi-language-yaml, dagger, melange, flux-image-automation-controller, skaffold, external-secrets-operator, argo-workflows, trivy, witness, xeol, tfsec, osv-scanner, argo-events,...
GHSA-PMWQ-PJRM-6P5R vulnerabilities
Vulnerabilities for packages: rekor, bom, vexctl, kyverno, spire-server, dagger, skaffold, aactl, trivy, docker, kyverno-notation-aws, docker-compose, tflint, gitsign, falcoctl, goreleaser, slsa-verifier, neuvector-sigstore-interface, kubescape, tkn, zarf, ko, teleport, policy-controller, zot,...
[SECURITY] Fedora 43 Update: trivy-0.69.3-1.fc43
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more...
Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs
Software supply chain security compromises often stem from cascaded interactions of vulnerabilities, for example, between multiple vulnerable components. Yet, Software Bill of Materials SBOM-based pipelines for security analysis typically treat scanner findings as independent per-CVE Common...
GHSA-GM2X-2G9H-CCM8 vulnerabilities
Vulnerabilities for packages: kots, apko, bom, cerbos, kyverno, nfpm, nuclei, argocd-image-updater, pulumi-language-yaml, dagger, melange, flux-image-automation-controller, skaffold, external-secrets-operator, argo-workflows, trivy, witness, xeol, tfsec, osv-scanner, argo-events, gomplate, kaniko...
spdx-sboms
No d...
sboms
No d...
CVE-2026-33481
A flaw was found in Syft, a tool for generating Software Bill of Materials SBOM. When Syft scans large or highly compressed archives, it unpacks them into temporary storage. If this process exhausts the temporary storage, Syft fails to properly clean up these files. This can lead to the temporary...
Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware
SBOM CVE Scanner - Enhanced Edition A comprehensive Python to...
CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...
Uncovering Hidden Inclusions of Vulnerable Dependencies in Real-World Java Projects
Open-source software OSS dependencies are a dominant component of modern software code bases. Using proven and well-tested OSS components lets developers reduce development time and cost while improving quality. However, heavy reliance on open-source software also introduces significant security...
Altium Enterprise Server security vulnerabilities
Altium Enterprise Server is a localization data management server developed by Altium Corporation in the United States. Version 7.0.3 of Altium Enterprise Server contains a security vulnerability. This vulnerability stems from a stored-xss attack in the Description field of the BOM Viewer, which...
CVE-2024-39909
KubeClarity is a tool for detection and management of Software Bill Of Materials SBOM and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource /api/applicationResources via the following parameter packageID. As it can be seen in...
cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
An XML External Entity XXE injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM XML is validated, external XML entities can be processed XXE, allowing an attacker to...
A Reality Check on SBOM-Based Vulnerability Management: An Empirical Study and a Path Forward
The Software Bill of Materials SBOM is a critical tool for securing the software supply chain SSC, but its practical utility is undermined by inaccuracies in both its generation and its application in vulnerability scanning. This paper presents a large-scale empirical study on 2,414 open-source...
EUVD-2025-50813
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library...
CVE-2025-61723 vulnerabilities
Vulnerabilities for packages: secrets-store-csi-driver-provider-aws, kubernetes-event-exporter, sigstore-scaffolding, prometheus-alertmanager, regclient, jitsucom-bulker, aws-s3-controller, scorecard, rekor, vault-k8s, bom, php-fpmexporter, http-echo, kube-rbac-proxy, mage, velero-plugin-for-csi,...