CVE-2026-12003 CPython >3.11 Insecure Input Validation resulting in privilege escalation

To allow builds of Python to be run from an in-tree layout rather than an installed file layout, the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python...

CVE-2026-42575

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

RHCOS 4 : OpenShift Container Platform 4.1.41 (RHSA-2020:1449)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1449 advisory. - buildah: Crafted input tar file may lead to local file overwrite during image build process CVE-2020-10696 Note that Nessus has not tested...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from incomplete DACL validation in the functions buildsecdesc and idmodetocifsacl. This vulnerability...

CVE-2026-29050

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a...

Vaadin Flow and the axios npm supply-chain compromise

On March 31, 2026, compromised versions of the popular axios HTTP client library 1.14.1 and 0.30.4 were published to NPM via a hijacked maintainer account. The malicious versions injected [email protected], a cross-platform RAT dropper that connected to a command-and-control server. The...

EUVD-2017-6293

Malware in sbrugna...

EUVD-2022-6489

Malicious code in bioql PyPI...

EUVD-2025-18458

Malicious code in bioql PyPI...

CVE-2025-32800

The Conda-build contains commands and tools to build Conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. This flaw allows an attacker to claim this namespace, upload arbitrary malicious code to the package, a...

CVE-2025-32800

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary malicious code to the package, and then exploit...

CVE-2025-32797 Conda-build Insecure Build Script Permissions Enabling Arbitrary Code Execution

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the writebuildscripts function in conda-build creates the temporary build script condabuild.sh with overly permissive file permissions 0o766, allowing write access to all users. Attackers with filesystem...

RHEL 8 : Red Hat Product OCP Tools 4.12 Openshift Jenkins (RHSA-2025:2223)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:2223 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cro...

PT-2024-1534 · Oracle · Jd Edwards Enterpriseone Tools

Name of the Vulnerable Software and Affected Versions: JD Edwards EnterpriseOne Tools versions prior to 9.2.8.1 Description: The issue is related to insufficient input validation in the Package Build SEC component. It allows a high-privileged attacker with network access via JDENET to compromise ...

CVE-2021-41034

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Jav...

Design/Logic Flaw

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Jav...

CVE-2021-41034

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Jav...

DEBIAN-CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...

ant: insecure temporary file vulnerability

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build...

GHSA-GVXV-5FP2-358Q Incorrect Resource Transfer Between Spheres in eclipse-wtp

In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel http. If the build occurred over an insecure connection, a maliciou...