@senoldogann/code-companion (>=0.1.38 <=0.1.56), @treeseed/agent (=0.8.5) +5 more potentially affected by CVE-2026-45033 via @github/copilot (>=1.0.27 <=1.0.40)

@github/copilot NPM version =1.0.27, =0.1.38, =0.6.0, =0.6.1, =0.6.8, =1.0.0, =2.0.0 - @vibe-forge/client =1.0.0 Source cves: CVE-2026-45033 Source advisory: SNYK:JS-GITHUBCOPILOT-16642141...

Malicious code in dlocal-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9cfdf8d83ac7dc528caac3292d1b02ba162629b349789149fbbfcb7094f778b0 Generic campaign for all likely research / pentests, where the amount or art of collected data raises questions about the privacy, security and ethical side. -...

MAL-2026-3424 Malicious code in dlocal-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9cfdf8d83ac7dc528caac3292d1b02ba162629b349789149fbbfcb7094f778b0 Generic campaign for all likely research / pentests, where the amount or art of collected data raises questions about the privacy, security and ethical side. -...

PT-2026-39901

Name of the Vulnerable Software and Affected Versions GitHub Copilot CLI versions prior to 1.0.43 Description An issue exists where a malicious bare git repository nested inside a project directory can lead to arbitrary code execution when the agent performs git operations. By exploiting git's...

N4V3R41N-Suite

N4V3R41N: The Ultimate Unified iOS Exploit & Bypass Suite !V...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: chainctl-fips, kubescape, tflint, kyverno-notation-aws, tkn, zot, cosign-fips, chainloop-control-plane-fips, cosign, ko-fips, cloudbeat, zarf-fips, rekor-fips, gitlab-runner, image-factory-fips, cloudbeat-fips, chainloop-cli-fips, docker-fips, gitsign,...

GHSA-5M4P-2GJX-P2G8 vulnerabilities

Vulnerabilities for packages: sops, cluster-autoscaler, cloud-provider-aws, kube-arangodb, opencost, otel-cli, octo-sts, vault-benchmark, cert-exporter, tkn, mods, secrets-store-csi-driver-provider-azure, nuclei, zot, runc, spark-operator, redpanda, act, conjur-cli, sftpgo-plugin-pubsub, tw,...

CVE-2026-40973 vulnerabilities

Vulnerabilities for packages: keycloak-config-cli, zipkin, thingsboard, apache-nifi-registry...

GHSA-WWPQ-F5C3-7HVX vulnerabilities

Vulnerabilities for packages: keycloak-config-cli, zipkin, thingsboard, apache-nifi-registry...

CVE-2026-40973 vulnerabilities

Vulnerabilities for packages: kafbat-ui, kafbat-ui-fips, apache-nifi-registry, nacos-docker, keycloak-config-cli, nacos, thingsboard, camunda-zeebe, zipkin...

GHSA-WWPQ-F5C3-7HVX vulnerabilities

Vulnerabilities for packages: kafbat-ui, kafbat-ui-fips, apache-nifi-registry, nacos-docker, keycloak-config-cli, nacos, thingsboard, camunda-zeebe, zipkin...

com.github.cafaudit:caf-audit-binding-elasticsearch (>=5.0.3-1321 <=5.0.4-1329), com.github.cafaudit:caf-audit-monkey-container (>=5.0.3-1321 <=5.0.4-1329) +80 more potentially affected by CVE-2026-8149 via org.bouncycastle:bc-fips (>=2.1.0 <=2.1.1)

org.bouncycastle:bc-fips MAVEN version =2.1.0, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =3.1.2-822, =3.1.2-822, =3.1.2-822, =3.1.2-822, =4.10.0, =4.10.0, =4.10.0, =4.10.0, =4.10.0, =4.10.2 and more Source cves: CVE-2026-8149 Source advisory:...

CVE-2026-42150 wlc: print_html outputs API data without HTML escaping, enabling stored XSS

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0...

GHSA-XHRW-5QXX-JPWR Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install

Summary Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)

Last week, there were 87 vulnerabilities disclosed in 198 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities ...

@kyoji2/intercom-cli (>=0.1.0 <=0.1.6), @types/intercom-client (=3.0.0) +2 more potentially affected by unknown CVE via intercom-client (>=7.0.1 <=7.0.3)

intercom-client NPM version =7.0.1, =0.1.0, =3.0.14, =3.0.31 Source cves: unknown CVE Source advisory: OSV:GHSA-54PG-9963-V8VG...

CVE-2026-42338 vulnerabilities

Vulnerabilities for packages: kibana, lerna, wazuh-dashboard-fips, saf, wazuh-dashboard, npm, kubeflow-pipelines, tileserver-gl-fips, actions-runner, gemini-cli, opensearch-dashboards, tileserver-gl, prism, pulumi, librechat, sqlpad, opensearch-dashboards-fips, code-server, langfuse-fips, renovat...

GHSA-PGF8-2HGJ-GRQG Vercel: Non-interactive mode includes CLI arguments in suggested command output

Summary When the Vercel CLI runs in non-interactive mode --non-interactive or auto-detected AI agent, commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included...

NPM: Vercel: Non-interactive mode includes CLI arguments in suggested command output

NPM: Vercel: Non-interactive mode includes CLI arguments in suggested command output vulnerability discovered by ? in WordPress Npm vercel versions = 50.16.0, = 52.0.0...

PT-2026-38545

A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote...