@oneuptime/cli (>=10.0.10 <=10.0.11) potentially affected by CVE-2026-28787 via @oneuptime/common (>=10.0.10 <=10.0.11)

@oneuptime/common NPM version =10.0.10, =10.0.10, =10.0.11 Source cves: CVE-2026-28787 Source advisory: OSV:GHSA-GJJC-PCWP-C74M...

GHSA-9H8M-3FM2-QJRQ vulnerabilities

Vulnerabilities for packages: trivy, knative-net-istio-fips, datadog-agent, restic-fips, fulcio, elastic-agent, google-osconfig-agent, kapp-controller-fips, k8sgateway, envoy-gateway-fips, flux-kustomize-controller-fips, gatekeeper-fips, apm-server-fips, containerd, gitaly, juicefs,...

indexdoc-converter (>=0.2.4 <=0.2.7), pdd-cli (>=0.0.70 <=0.0.250) +1 more potentially affected by CVE-2026-28231 via pillow-heif (>=1.1.1 <=1.2.0)

pillow-heif PYPI version =1.1.1, =0.2.4, =0.0.70, =0.4.0, =0.13.1 Source cves: CVE-2026-28231 Source advisory: SNYK:PYTHON-PILLOWHEIF-15426536...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions in the clihistory feature. An attacker can access sensitive command history and API request/response data by reading the history database file if it is created with default permissions on a multi-user Unix...

GO-2026-4556 Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api

Vikunja has Path Traversal in CLI Restore in code.vikunja.io/api...

digger-cli-0.6.143-1.1 on GA media (moderate)

digger-cli-0.6.143-1.1 on GA media Announcement ID: openSUSE-SU-2026:10260-1 Rating: moderate Cross-References: CVE-2025-61729 CVSS scores: CVE-2025-61729 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61729 SUSE : 8.7...

CVE-2026-20037

A vulnerability in the NX-OS CLI privilege levels of Cisco UCS Manager Software could allow an authenticated, local attacker with read-only privileges to modify files and perform unauthorized actions on an affected system. This vulnerability exists because unnecessary privileges are given to the...

CVE-2026-20107

A vulnerability in the Object Model CLI component of Cisco Application Policy Infrastructure Controller APIC could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of service DoS condition. To exploit this vulnerability, the attacker...

@graphql-mesh/plugin-rate-limit (>=0.2.23 <=1.0.0-alpha-20230524103718-9e72bdbec), @graphql-mesh/plugin-snapshot (>=0.1.24 <=1.0.0-alpha-20230524103718-9e72bdbec) +13 more potentially affected by CVE-2026-27904 via minimatch (>=8.0.2 <=8.0.4)

minimatch NPM version =8.0.2, =0.2.23, =0.1.24, =0.15.24, =2.0.0-beta.0, =0.42.1, =0.42.1, =0.42.1, =0.42.1, =0.42.1, =0.42.1, =0.42.1, =0.42.1, =1.6.0, =1.4.1, =1.4.4 Source cves: CVE-2026-27904 Source advisory: OSV:GHSA-23C5-XMQV-RM74...

@adobe-apimesh/mesh-builder (=1.4.0-beta.5), @akylas/nativescript-cli (>=8.7.2 <=8.8.2) +317 more potentially affected by CVE-2026-27904 via minimatch (>=7.0.0 <=7.4.6)

minimatch NPM version =7.0.0, =8.7.2, =5.5.0-682, =0.0.6, =3.6.0, =2.6.0, =2.5.0, =3.6.0, =4.6.0, =1.11.0, =4.0.0, =2.0.7, =2.0.4, =1.2.1, =1.3.1 - @digit-ui/digit-ui-module-common =1.3.0 and more Source cves: CVE-2026-27904 Source advisory: OSV:GHSA-23C5-XMQV-RM74...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: xeol, crossplane-provider-family-azure, pulumi-language-yaml, crossplane-provider-aws-eks, crossplane-provider-aws-elasticache, ksops, rancher-fleet, docker-cli-buildx, apko, flux, crossplane-provider-aws-s3, terraform-provider-pagerduty, kyverno,...

GHSA-Q9HV-HPM4-HJ6X vulnerabilities

Vulnerabilities for packages: xeol, crossplane-provider-family-azure, pulumi-language-yaml, crossplane-provider-aws-eks, crossplane-provider-aws-elasticache, ksops, rancher-fleet, docker-cli-buildx, apko, flux, crossplane-provider-aws-s3, terraform-provider-pagerduty, kyverno,...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: trivy, reports-server, datadog-agent, nuclei, cert-manager-cmctl, crossplane-provider-azure-managedidentity, terragrunt, livekit-cli, atlantis, gitlab-runner, crossplane-provider-aws-cloudwatchlogs-fips, scorecard, crossplane-provider-aws-route53-fips,...

GHSA-42WG-38GX-85RH Vikunja has Path Traversal in CLI Restore

Summary Path Traversal Zip Slip and Denial of Service DoS vulnerability discovered in the Vikunja CLI's restore functionality. Details The restoreConfig function in vikunja/pkg/modules/dump/restore.go of the https://github.com/go-vikunja/vikunja/tree/main repository fails to sanitize file paths...

Vikunja has Path Traversal in CLI Restore

Summary Path Traversal Zip Slip and Denial of Service DoS vulnerability discovered in the Vikunja CLI's restore functionality. Details The restoreConfig function in vikunja/pkg/modules/dump/restore.go of the https://github.com/go-vikunja/vikunja/tree/main repository fails to sanitize file paths...

GHSA-VJQX-CFC4-9H6V mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries

In mcp-server-git versions prior to 2026.1.14, the gitadd tool did not validate that file paths provided in the files argument were within the repository boundaries. The tool used GitPython's repo.index.add, which did not enforce working-tree boundary checks for relative paths. As a result,...

mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries

In mcp-server-git versions prior to 2026.1.14, the gitadd tool did not validate that file paths provided in the files argument were within the repository boundaries. The tool used GitPython's repo.index.add, which did not enforce working-tree boundary checks for relative paths. As a result,...

BIT-AIRFLOW-2025-27555 Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli

Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were...

OPENSUSE-SU-2026:10260-1 digger-cli-0.6.143-1.1 on GA media

These are all security issues fixed in the digger-cli-0.6.143-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2026-27819 Vikunja has Path Traversal in CLI Restore

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the...