GHSA-9PPG-JX86-FQW7 Unauthorized npm publish of [email protected] with modified postinstall script

Description On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected]. The published package contains a modified package.json with an added postinstall script: "postinstall": "npm install -g...

Fedora 43 : azure-cli / python-azure-core (2026-45e69bddb9)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-45e69bddb9 advisory. Update to 1.38.0 to address CVE-2026-21226 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus...

Fedora 42 : azure-cli / python-azure-core (2026-3beebfc8ff)

The remote Fedora 42 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-3beebfc8ff advisory. Update to 1.38.0 to address CVE-2026-21226 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus...

RHSA-2026:2823 Red Hat Security Advisory: Updated discovery-cli release RPM versions 2.4.3

Bulletin has no description...

Important: nsight-systems-2025.5.2

Issue Overview: NVIDIA Nsight Systems contains a vulnerability in the gfxhotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the processnsysrepcli.py script if the script is invoked manually. A successful exploit of this vulnerability might lea...

azure-cli-core-2.83.0-2.1 on GA media (moderate)

azure-cli-core-2.83.0-2.1 on GA media Announcement ID: openSUSE-SU-2026:10211-1 Rating: moderate Cross-References: CVE-2025-24049 CVSS scores: CVE-2025-24049 SUSE : 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-24049 SUSE : 8.6...

Important: Red Hat Security Advisory: Updated discovery-cli release RPM versions 2.4.3

Updated Discovery Release RPM 2.4.3 for discovery-cli dsc is now available for Discovery 2.4. New 2.4.3 version of discovery-cli dsc is now available for Discovery 2.4. This version contains a fix for CVE-2026-24049...

RHEL 10 / 8 / 9 : Updated discovery-cli RPM versions 2.4.3 (Important) (RHSA-2026:2823)

The remote Redhat Enterprise Linux 10 / 8 / 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:2823 advisory. New 2.4.3 version of discovery-cli dsc is now available for Discovery 2.4. This version contains a fix for CVE-2026-24049 . Tenable has...

EFM iptime A6004MX 代码问题漏洞

EFM iptime A6004MX is a wireless router produced by the South Korean company EFM. The EFM iptime A6004MX version 14.18.2 has a code vulnerability. This vulnerability stems from an unlimited upload function in the commitvpnclifile Upload function located in the cgi/timepro.cgi file, which could le...

GHSA-QHP6-6P8P-2RQH Wildfly Elytron integration susceptible to brute force attacks via CLI

Impact A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. Patches The default behaviour has been changed in...

CVE-2026-26029

sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of childprocess.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to...

`sha-rst` was removed from crates.io for malicious code

This crate was used as a dependency by finchclirust and finch-rst and contained a malware payload to exfiltrate credentials. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 22 times. Other than the other crates above that were part of the attack, no other crates...

GHSA-6V2J-VR4H-F632 `finch_cli_rust` was removed from crates.io for malicious code

This attempts to typosquat the existing crate finchcli to steal credentials from local files. The malicious crate had 1 version published on 2025-12-08 and had been downloaded 18 times. There were no crates depending on this crate on crates.io. Thanks to Matthias Zepper of NGI Sweden for reportin...

CVE-2026-26014 vulnerabilities

Vulnerabilities for packages: ipfs-cluster, spegel, kubo, ipfs-cluster-fips, kubo-fips, livekit-server, telegraf, rke2-runtime, livekit-cli, livekit-server-fips, k3s, spegel-fips, rke2-runtime-fips, livekit-egress...

@cognigy/cognigy-cli (>=1.9.7 <=2.1.0), @meta-1/nest-ai (>=0.0.1 <=0.0.5) +10 more potentially affected by CVE-2026-26019 via @langchain/community (>=1.0.0 <=1.1.12)

@langchain/community NPM version =1.0.0, =1.9.7, =0.0.1, =0.2.0, =0.0.16, =1.4.13, =1.0.0, =3.1.0, =0.3.0, =0.0.210, =0.1.1, =0.1.2 Source cves: CVE-2026-26019 Source advisory: SNYK:JS-LANGCHAINCOMMUNITY-15268428...

@bloggrify/bento (>=0.9.5 <=1.0.0), @bloggrify/core (>=1.6.0 <=2.0.2) +29 more potentially affected by CVE-2025-69874 via nanotar (=0.1.1)

nanotar NPM version =0.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on nanotar and may be impacted: - @bloggrify/bento =0.9.5, =1.6.0, =1.3.1, =1.2.2, =0.1.2, =51.0.1, =0.3.14, =9.8.3, =1.12.0-rc.5, =0.0.0, =1.1.1, =0.50.0, =0.50.0, =51.0.2 and mor...

Malicious code in node-dotenv-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 76b47bebee6a74c00d3be10fad072e05074a62b29205377f682463290bad39c3 The package node-dotenv-cli was found to contain malicious code. Source: ghsa-malware 5bb66069e2bde985ae448962eaaf6373cd54aa2cd51fb20a0fef26ecb5dee2d...

Malicious Package

Overview node-dotenv-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-853 Malicious code in node-dotenv-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 76b47bebee6a74c00d3be10fad072e05074a62b29205377f682463290bad39c3 The package node-dotenv-cli was found to contain malicious code. Source: ghsa-malware 5bb66069e2bde985ae448962eaaf6373cd54aa2cd51fb20a0fef26ecb5dee2d...

CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...