ArgoCD Project API Token Repository Credentials Exposure

Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability...

CVE-2018-25383 Free MP3 CD Ripper 2.8 Buffer Overflow SEH DEP Bypass

Free MP3 CD Ripper 2.8 contains a stack-based buffer overflow vulnerability in WMA file processing that allows local attackers to bypass DEP protection via structured exception handling manipulation. Attackers can craft a malicious WMA file that triggers the overflow when loaded through the Conve...

CVE-2018-25383

CVE-2018-25383 affects Free MP3 CD Ripper 2.8. The vulnerability is a stack-based buffer overflow in WMA file processing within the Convert function, allowing a local attacker to bypass DEP via SEH manipulation and execute arbitrary code (via a ROP chain and shellcode injection). The impact is lo...

Typosquatted npm packages used to steal cloud and CI/CD secrets

In this article 1. Attack chain overview 1. The lure: typosquats and spoofed metadata 2. Execution: npm lifecycle hook abuse 3. Gen-1 stager: HTTP C2 beacon and payload drop 4. Gen-2 stager: abusing the legitimate Bun runtime as a loader 5. Credential theft 6. Impact and blast radius 2. Mitigatio...

Supply Chain Compromises Impact Nx Console and GitHub Repositories

CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development CI/CD pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code VS...

PT-2026-44730

Relevant Products/Components: trestle/core/commands/author/jinja.py trestle author jinja --- Detailed Description: The -o/--output argument in trestle author jinja allows writing files outside the intended workspace. The application does not properly validate: ../ .. absolute paths This allows...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Argoproj Argo_Cd

CVE-2026-42880 — ArgoCD Secret Exposure via ServerSideDiff A...

GHSA-H98R-WV3H-FR38 vulnerabilities

Vulnerabilities for packages: argo-cd, argocd-image-updater...

CVE-2026-45738 vulnerabilities

Vulnerabilities for packages: argo-cd, argocd-image-updater...

GHSA-M7CR-M3PV-HGRP vulnerabilities

Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...

GHSA-CRHJ-59GH-8X96 vulnerabilities

Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...

CVE-2026-45571 vulnerabilities

Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...

CVE-2026-45570 vulnerabilities

Vulnerabilities for packages: nfpm, crossplane, src-fingerprint, snyk-cli, kaniko, melange, grype, grafana-alloy, gitsign, dagger, steampipe, external-secrets-operator, kargo, scorecard, argo-cd, flux-image-automation-controller, syft, act, tfsec, argocd-image-updater, xeol, kots, k9s,...

CVE-2026-45738 vulnerabilities

Vulnerabilities for packages: argocd-image-updater, argocd-image-updater-fips, argo-cd...

GHSA-H98R-WV3H-FR38 vulnerabilities

Vulnerabilities for packages: argocd-image-updater, argocd-image-updater-fips, argo-cd...

GHSA-CRHJ-59GH-8X96 vulnerabilities

Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...

CVE-2026-45571 vulnerabilities

Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...

CVE-2026-45570 vulnerabilities

Vulnerabilities for packages: grafana-alloy, zarf, chainloop-cli-fips, amazon-ssm-agent, cloudbeat-fips, kots, flux-image-automation-controller, kubescape-server, gitlab-rails-ce, grype-db, skaffold, gitlab-rails-ce-fips, kubevela, gitlab-runner, external-secrets-operator, gomplate,...

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...

Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation

Summary A user with application write access developer role can set link.argocd.argoproj.io/ annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's URLs section as elements without URL validation. Using the pipe-separator trick Display Text |...