MAL-2026-3457 Malicious code in @supersurkhet/cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3219a7aa4b5f19cda44ae4217d0cf1d596988bd05ea1645b489ec579c50bcf17 The package @supersurkhet/cli was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3472 Malicious code in @tanstack/router-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a4625c6f00a64d5f9c4d9fe41182c90a5d06c2a6cf72046d9a1e76d65295444 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@antidrawapp/runtime (>=0.1.0 <=0.1.1), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +99 more potentially affected by CVE-2026-45321 via @tanstack/history (>=1.0.0 <=1.15.13)

@tanstack/history NPM version =1.0.0, =0.1.0, =1.0.0, =0.6.2, =0.6.2, =0.1.1, =0.1.1, =0.6.2, =0.2.2, =0.3.0, =0.6.0, =0.2.2, =1.0.0, =1.0.9, =1.1.0, =1.1.2, =1.6.2 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKHISTORY-16640204...

@tanstack/react-router-ssr-query (>=1.121.0-alpha.28 <=1.166.12), @tanstack/solid-router-ssr-query (>=1.133.19 <=2.0.0-beta.20) +3 more potentially affected by CVE-2026-45321 via @tanstack/router-ssr-query-core (>=1.121.0-alpha.28 <=1.168.0)

@tanstack/router-ssr-query-core NPM version =1.121.0-alpha.28, =1.121.0-alpha.28, =1.133.19, =1.140.0, =0.1.0, =0.0.0-dev, =0.23.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKROUTERSSRQUERYCORE-16640223...

@senoldogann/code-companion (>=0.1.38 <=0.1.56), @treeseed/agent (>=0.8.5 <=0.10.0) +6 more potentially affected by CVE-2026-45033 via @github/copilot (>=1.0.27 <=1.0.40)

@github/copilot NPM version =1.0.27, =0.1.38, =0.8.5, =0.6.0, =0.6.1, =0.6.8, =1.0.0, =2.0.0 - @vibe-forge/client =1.0.0 - bitbucket-copilot-pr-review =0.5.1 Source cves: CVE-2026-45033 Source advisory: SNYK:JS-GITHUBCOPILOT-16642141...

GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor

Summary A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory...

Malicious code in dlocal-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9cfdf8d83ac7dc528caac3292d1b02ba162629b349789149fbbfcb7094f778b0 Generic campaign for all likely research / pentests, where the amount or art of collected data raises questions about the privacy, security and ethical side. -...

MAL-2026-3424 Malicious code in dlocal-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9cfdf8d83ac7dc528caac3292d1b02ba162629b349789149fbbfcb7094f778b0 Generic campaign for all likely research / pentests, where the amount or art of collected data raises questions about the privacy, security and ethical side. -...

PT-2026-39901

Name of the Vulnerable Software and Affected Versions GitHub Copilot CLI versions prior to 1.0.43 Description An issue exists where a malicious bare git repository nested inside a project directory can lead to arbitrary code execution when the agent performs git operations. By exploiting git's...

N4V3R41N-Suite

N4V3R41N: The Ultimate Unified iOS Exploit & Bypass Suite !V...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: jfrog-cli, image-factory-fips, docker-compose-fips, guac, kyverno-policy-reporter-plugins-kyverno-fips, docker-compose, neuvector-sigstore-interface, kubescape, buildkitd-fips, rekor, tflint-fips, cloudbeat-fips, cg, gitlab-runner-fips, zot, gitsign, trivy-fips,...

GHSA-5M4P-2GJX-P2G8 vulnerabilities

Vulnerabilities for packages: runc, sops, grafana-mimir, ratify, tw, grafana-pyroscope, vault-secrets-webhook, lvm-driver, dask-gateway, ko, local-static-provisioner, temporal-server, govulncheck, addon-resizer, metrics-server, http-echo, apache-exporter, k8sgpt, zot, hivemind, juicefs, kpt,...

accessiqlue (=2025.12.21154255), agent-builder (>=0.0.2 <=0.1.7) +345 more potentially affected by CVE-2026-44843 via langchain-core (>=1.0.0a8 <=1.3.2)

langchain-core PYPI version =1.0.0a8, =0.0.2, =0.1.0, =0.1.0, =0.1.0, =0.1.1 - ai-benchmark-analyzer =2025.12.21193050 - ai-claim-essence =2025.12.20202921 - ai-design-insights =2025.12.21145447 - ai-mysql-translator =2025.12.21101721 - ai-reliability-analyzer =2025.12.21171415 - ai-risk-extracto...

GHSA-WWPQ-F5C3-7HVX vulnerabilities

Vulnerabilities for packages: keycloak-config-cli, zipkin, apache-nifi-registry, thingsboard...

CVE-2026-40973 vulnerabilities

Vulnerabilities for packages: keycloak-config-cli, zipkin, apache-nifi-registry, thingsboard...

GHSA-WWPQ-F5C3-7HVX vulnerabilities

Vulnerabilities for packages: nacos, zipkin, nacos-docker, thingsboard, kafbat-ui-fips, camunda-zeebe, apache-nifi-registry, kafbat-ui, keycloak-config-cli...

CVE-2026-40973 vulnerabilities

Vulnerabilities for packages: nacos, zipkin, nacos-docker, thingsboard, kafbat-ui-fips, camunda-zeebe, apache-nifi-registry, kafbat-ui, keycloak-config-cli...

com.github.cafaudit:caf-audit-binding-elasticsearch (>=5.0.3-1321 <=5.0.4-1329), com.github.cafaudit:caf-audit-monkey-container (>=5.0.3-1321 <=5.0.4-1329) +80 more potentially affected by CVE-2026-8149 via org.bouncycastle:bc-fips (>=2.1.0 <=2.1.1)

org.bouncycastle:bc-fips MAVEN version =2.1.0, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =5.0.3-1321, =3.1.2-822, =3.1.2-822, =3.1.2-822, =3.1.2-822, =4.10.0, =4.10.0, =4.10.0, =4.10.0, =4.10.0, =4.10.2 and more Source cves: CVE-2026-8149 Source advisory:...

CVE-2026-42150 wlc: print_html outputs API data without HTML escaping, enabling stored XSS

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0...

GHSA-XHRW-5QXX-JPWR Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install

Summary Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A...