CVE-2026-56311 Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

CVE-2026-56082 Supabase - Unauthenticated Cross-Tenant Billing Log Tampering via public.record_build_time RPC

Capgo Cap-go/capgo before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.recordbuildtime, which is granted to the anon role and callable with only the public Supabase publishable sbpublishable anon key. An unauthenticated attacker...

CVE-2026-56082 Capgo - Unauthenticated Cross-Tenant Billing Log Tampering via public.record_build_time RPC

Capgo Cap-go/capgo before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.recordbuildtime, which is granted to the anon role and callable with only the public Supabase publishable sbpublishable anon key. An unauthenticated attacker...

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the addAttribute function, which interpolates unescaped object keys as HTML attribute names when spreadi...

Malicious code in vite-plugin-logo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b107e832dfd60ded8637d9a6db69c980eae13bde79da4cd01d69c5a1110aca2b On require, index.js walks up to 5 parent directories searching for public/assets/logo.png, scans the file bytes for the marker VITEASSETCACHEv1,...

Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa On module load, the package's initPlugin function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ an anonymous public JSON-paste host and...

MAL-2026-5713 Malicious code in vite-plugin-compress-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba5cca8be2f19842c304f355a2219256b3af26e9df385ec314ea6899621110aa On module load, the package's initPlugin function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ an anonymous public JSON-paste host and...

CVE-2026-49821 Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched...

CVE-2026-49821

Fission (Kubernetes-native serverless framework) prior to v1.24.0 is affected where the buildermgr controller processed Package CRDs without validating that Package.spec.environment.namespace equals Package.metadata.namespace. This cross-namespace environment reference could enable build-time com...

MAL-2026-4794 Malicious code in indextts-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc206ef48bfccaec8e81aac2b666e2d54a4a027e8432cc1d08d3823cf333caca setup.py executes git clone --depth 1 --branch dev-3.12 https://github.com/gabry-lab/index-tts during the buildpy / egginfo / sdist / bdistwheel...

MAL-2026-4223 Malicious code in tensor-compute (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a3d1b50077a6311a43061891fa560d2c180fbdbd12ab4965e0d265910e6ef68 [email protected] presents itself as a Rust-backed tensor library but is a dropper. setup.py registers a custom buildext command src/buildext.py...

Malicious code in @tailwind-core/postcss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1dab944715339b0fabcf954a92fd33faacbb4d878368c36ea5a7d26d72fe2e56 Package name @tailwind-core/postcss is a one-character-class edit of the official @tailwindcss/postcss Tailwind CSS v4 PostCSS plugin, published unde...

Fedora 44 : python-jupytext (2026-301cbbe347)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-301cbbe347 advisory. This update contains upgrades to various npm packages used during the build to address CVEs, namely: - CVE-2025-69873 ajv - CVE-2026-0540 DOMPurify ...

Fedora 42 : python-jupytext (2026-793b55138d)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-793b55138d advisory. This update contains upgrades to various npm packages used during the build to address CVEs, namely: - CVE-2025-69873 ajv - CVE-2026-0540 DOMPurify ...

Fedora 43 : python-jupytext (2026-85b819b928)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-85b819b928 advisory. This update contains upgrades to various npm packages used during the build to address CVEs, namely: - CVE-2025-69873 ajv - CVE-2026-0540 DOMPurify ...

TencentOS Server 4: golang (TSSA-2026:0278)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0278 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

Unity Linux 20.1070e Security Update: golang (UTSA-2026-017807)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017807 advisory. SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. Tenable...

OESA-2026-2251 golang security update

. Security Fixes: SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.CVE-2026-27140 tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing...

Astra Linux – Vulnerability in Golang-1.19

The go command may execute arbitrary code during compilation when using cgo. This can occur when running “go get” on a malicious module, or when running any other command that compiles unauthorized code. This issue can be triggered by linker flags, specified via the cgo LDFLAGS directive. The...

Astra Linux - Vulnerability in Golang-1.19

The go command may execute arbitrary code during compilation when using cgo. This can occur when running “go get” on a malicious module, or when running any other command that compiles unauthorized code. This issue can be triggered by linker flags, specified via the cgo LDFLAGS directive. Flags...