CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: gitlab-operator, aws-iam-authenticator, datadog-agent-fips, docker-fips, flux-helm-controller, zarf, kyverno, boring-registry, kcp, crossplane-provider-azure-signalrservice, crossplane-provider-keycloak, crossplane-provider-gcp-beta-networksecurity, livekit-cli,...

GHSA-5WRP-CWCJ-Q835 vulnerabilities

Vulnerabilities for packages: gitlab-operator, aws-iam-authenticator, datadog-agent-fips, docker-fips, flux-helm-controller, zarf, kyverno, boring-registry, kcp, crossplane-provider-azure-signalrservice, crossplane-provider-keycloak, crossplane-provider-gcp-beta-networksecurity, livekit-cli,...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Transfer Cluster Manager, faspex on Demand, Server on Demand, Application Platform on

Question Security Bulletin: Vulnerabilities in OpenSSL affect IBM Aspera Transfer Cluster Manager, faspex on Demand, Server on Demand, Application Platform on Demand, and Azure on Demand. CVE-2016-2107, CVE-2016-2106, CVE-2016-2176 "Business Unit":"code":"BU059","label":"IBM Software w/o...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

CVE-2026-42502 affecting package kube-vip-cloud-provider for versions less than 0.0.10-6

CVE-2026-42502 affecting package kube-vip-cloud-provider for versions less than 0.0.10-6. A patched version of the package is available...

CVE-2026-42506 affecting package kube-vip-cloud-provider for versions less than 0.0.10-6

CVE-2026-42506 affecting package kube-vip-cloud-provider for versions less than 0.0.10-6. A patched version of the package is available...

CVE-2026-25680 affecting package kube-vip-cloud-provider for versions less than 0.0.10-6

CVE-2026-25680 affecting package kube-vip-cloud-provider for versions less than 0.0.10-6. A patched version of the package is available...

CVE-2026-27136 affecting package cloud-provider-kubevirt for versions less than 0.5.1-4

CVE-2026-27136 affecting package cloud-provider-kubevirt for versions less than 0.5.1-4. A patched version of the package is available...

CVE-2026-42506 affecting package cloud-provider-kubevirt for versions less than 0.5.1-4

CVE-2026-42506 affecting package cloud-provider-kubevirt for versions less than 0.5.1-4. A patched version of the package is available...

CVE-2026-39821 affecting package cloud-provider-kubevirt for versions less than 0.5.1-4

CVE-2026-39821 affecting package cloud-provider-kubevirt for versions less than 0.5.1-4. A patched version of the package is available...

PT-2026-45067

Summary CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can...

[SECURITY] Fedora 43 Update: rust-afterburn-5.10.0-7.fc43

A simple cloud provider agent...

[SECURITY] Fedora 44 Update: rust-afterburn-5.10.0-7.fc44

A simple cloud provider agent...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Malicious Package

Overview knot-rspec-formatter-json is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: grafana-agent-operator, cilium-envoy, aws-node-termination-handler, external-dns, otel-cli, cloud-sql-proxy, flannel, prometheus-operator, mcp-grafana, redpanda, docker-credential-gcr, trivy, cluster-autoscaler, flux-image-automation-controller, kafka-proxy, karpente...

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: cilium-envoy, external-dns, kubernetes-csi-external-snapshotter, vault-k8s, calico, incert, redpanda, flux-image-automation-controller, stern, seaweedfs, nri-elasticsearch, aws-signer-notation-plugin, oras, timoni, metacontroller, hubble-ui, nerdctl, crane,...