Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

Malicious code in requests-enhancer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0f61f1a905e0ec1bb593f7b20d4f9a8a9e72deeb16440f72acbcaf00aeab1cd On import requestsenhancer, the package's init.py spawns a daemon thread that runs pip install...

CVE-2026-53858

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATEDIRECTORY variable to load runtime dependencies from unintended local paths, potentially...

CVE-2026-53858 OpenClaw < 2026.5.2 - Arbitrary Runtime Dependency Loading via STATE_DIRECTORY Environment Variable

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATEDIRECTORY variable to load runtime dependencies from unintended local paths, potentially...

CVE-2026-53858

OpenClaw (pre-2026.5.2) is affected by CVE-2026-53858: an environment variable injection flaw where the workspace .env STATE_DIRECTORY can influence bundled runtime dependency roots. An attacker can manipulate STATE_DIRECTORY to load runtime dependencies from unintended local paths, potentially e...

Security update for neonmodem (important)

openSUSE security update: security update for neonmodem ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20963-1 Rating: important References: bsc1260727 bsc1267193 Cross-References: CVE-2026-25680 CVE-2026-25681 CVE-2026-27136 CVE-2026-33809...

[SECURITY] Fedora 43 Update: composer-2.10.1-1.fc43

Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/...

exploitGuard

Run and deploy your AI Studio app This contains everything yo...

Malicious code in optional-cpu-features (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e On npm install, both the install and postinstall lifecycle scripts run node install.js, which requires lib/sync.js. That file hardcodes BASE =...

The Hidden Security Risks of Poor Software Testing

Poor Software Testing can expose hidden flaws, vulnerable dependencies and weak controls, increasing breach risks, downtime and costly fixes after release...

MAL-2026-5649 Malicious code in bibip-bip (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2b153c90d83d4653660dd79a5a0935af85bd804fd98163c42995403bca240a6 pyproject.toml declares a PEP 517 build requirement that points to an arbitrary tarball hosted on webhook.site, an anonymous request-inspection /...

CVEAlertor

CVEAlertor Get an instant Telegram alert the moment a new C...

GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks

GitHub has announced what it said are "breaking changes" coming to npm version 12, one of which turns off install scripts by default to combat software supply chain threats. The changes aim to combat attack techniques that abuse the "npm install" command to trigger the execution of malicious code...

MAL-2026-5554 Malicious code in express-self-destruct2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c21246439a04267591c998594f92ac1267c86698f5dcc3463ad2cd932abb04dc On install, the package's postinstall hook scripts/inject.js locates the installer's project root and main entry from package.json or fallbacks...

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions prior to 0.32.0 and 1.16.0 of Axios contain security vulnerabilities. These vulnerabilities stem from two prototype pollution tools that may cause upstream dependencies to pollute Object.prototype, allowing Axios to silently use the...

openSUSE 16 Security Update : agama-web-ui (openSUSE-SU-2026:20919-1)

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20919-1 advisory. This update for agama-web-ui fixes the following issues - CVE-2025-7339: on-headers: incorrect array handling may lead to HTTP response header...

OPENSUSE-SU-2026:20942-1 Security update for apptainer

This update for apptainer fixes the following issues: Changes in apptainer: - Update apptainer to version v1.5.1 Security fix bsc1267982: Fix for CVE-2026-48785 / GHSA-cr2j-534f-mf3g. Incorrect path matching for limit container paths directive. This is only applicable to SUID installations that...

SUSE-SU-2026:22074-1 Security update for elemental-toolkit

This update for elemental-toolkit fixes the following issue - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo- header bsc1260277. Changes for elemental-toolkit: - Update to v2.2.9: 0e33b2bc Bump golang.org/x/net to v0.55.0...

-tompan-reacttemplate (>=1.0.1 <=1.1.0), 0726react (=0.1.1) +28795 more potentially affected by CVE-2026-9277 via shell-quote (>=1.3.3 <=1.8.3)

shell-quote NPM version =1.3.3, =1.0.1, =1.1.0 - 0726react =0.1.1 - 0x0.icu.anima =0.1.0 - 0xcorde-pac =1.0.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 -...

aiidalab (>=22.6.0 <=26.5.2), aiidalab-chemshell (>=0.0.1 <=0.1.1) +137 more potentially affected by CVE-2026-47712 via dulwich (>=0.24.1 <=1.0.0)

dulwich PYPI version =0.24.1, =22.6.0, =0.0.1, =0.1.0, =1.3.4, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.2.1, =0.1.0, =0.1.6 - artificial-detection =0.1.0 - attp =0.1.0a0 and more Source cves: CVE-2026-47712 Source advisory: OSV:GHSA-555P-6GRF-MH7F...