Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite uses minimatch-3.0.5.tgz, OpenTelemetry Go SDK, jaraco.context, IBM WebSphere Application Server Liberty, picomatch-2.3.1.tgz, path-to-regexp-0.1.12.tgz, lodash-4.17.23.tgz, pillow-12.1.1-cp311-cp311-manylinux227x8664.manylinux228x8664.whl,...

Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

CVE-2026-43965 Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion

Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::readfromdisc are passed without validation to paths.buildpackagespackage, whi...

CVE-2026-43965

Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::readfromdisc are passed without validation to paths.buildpackagespackage, whi...

RUSTSEC-2026-0155 `exploration` was removed from crates.io for malicious code

A method within the exploration crate attempted to download and execute a payload from a remote site. The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io. Thanks to Kirill...

PT-2026-45757

Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read from disc are passed without validation to paths.build packages package,...

Security Bulletin: Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary Maximo AI Service uses fast-xml-parser-5.3.6.tgz, mlflow-3.9.0rc0-py3-none-any.whl, bcpkix-jdk18on-1.79.jar, pythonmultipart-0.0.24-py3-none-any.whl, bcprov-jdk18on-1.79.jar, spring-security-core-6.5.9.jar, spring-boot-autoconfigure-3.5.13.jar, spring-web-6.2.17.jar,...

EUVD-2026-33596

The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...

Apache Airflow security vulnerabilities

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a security vulnerability in Apache Airflow. The...

osv-java-poc

OSV Scanner CVE Detection POC — Vulnerable Java App ⚠️ WA...

Security Bulletin: Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary Maximo AI Service uses path-to-regexp-0.1.12.tgz, mlflow-3.9.0rc0-py3-none-any.whl, lodash-4.17.23.tgz, tomcat-embed-core-10.1.53.jar, spring-security-config-6.5.9.jar, Mako-1.3.8-py3-none-any.whl, uuid-11.1.0.tgz, spring-boot-3.5.13.jar, mako-1.3.11-py3-none-any.whl and...

Security Bulletin: Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary Maximo AI Service uses mlflow-3.9.0rc0-py3-none-any.whl, bcprov-jdk18on-1.79.jar, mlflow-3.8.1-py3-none-any.whl and GitPython-3.1.44-py3-none-any.whl which are vulnerable to CVE-2026-0545, CVE-2025-14813, CVE-2026-0636, CVE-2026, CVE-2025-15031, CVE-2025-15036, CVE-2025, CVE-2026-42215,...

Malicious code in cdktn-provider-datadog (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29ce930466b101c48ae641d7e4ad57f3d5169b9f14b1e041e4264e75cbfd965b Package name cdktn-provider-datadog is a single-character variant f→n of HashiCorp's widely-used cdktf-provider-datadog CDKTF provider. README and...

MAL-2026-4711 Malicious code in wao (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f809db41305575dc4eeed6726bdc75000e7f083dee4599ad71fd7b5eb89b2501 package.json declares "preinstall": "./src/deps.ts", but src/deps.ts is not TypeScript — it is a 976KB Linux x86-64 ELF executable magic bytes...

MAL-2026-4719 Malicious code in weavedb-exm-sdk-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89 package.json declares "preinstall": "./bin/install-deps", which runs a 976KB UPX-packed Linux x86 ELF binary on every npm install. The package...

[SECURITY] Fedora 43 Update: composer-2.9.8-1.fc43

Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/...

MAL-2026-4411 Malicious code in @onerjs/inspector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...

Malicious code in @onerjs/inspector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...

Malicious code in @onerjs/smart-filters-blocks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e772d7a844409df378591a5a587c7cc8045e0ec0e8cb493912f0da8fa594c169 This package is published as @onerjs/smart-filters-blocks but its README, repository URL git+https://github.com/BabylonJS/Babylon.js.git, description...

MAL-2026-4415 Malicious code in @onerjs/smart-filters-blocks (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e772d7a844409df378591a5a587c7cc8045e0ec0e8cb493912f0da8fa594c169 This package is published as @onerjs/smart-filters-blocks but its README, repository URL git+https://github.com/BabylonJS/Babylon.js.git, description...