CVE-2026-40963

The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...

CVE-2026-40963

The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...

MAL-2026-4701 Malicious code in venturo-playwright-runner (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e63f5fe21c0fe70b9b120a217b3d1b14e765c47de231eb03d0d763c471fbd4e The package republishes Microsoft's @playwright/test under the unrelated name venturo-playwright-runner and falsifies its identity to claim Microsoft...

GHSA-W7RC-Q6CM-F5GM Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. However, Apache Airflow has security vulnerabilities. The...

The Code Whisperer: LLM and Graph-Based AI for Smell and Vulnerability Resolution

Code smells and software vulnerabilities both increase maintenance cost, yet they are often handled by separate tools that miss structural context and produce noisy warnings. This paper presents The Code Whisperer, a hybrid framework that combines graph-based program analysis with large language...

Formal Analysis and Supply Chain Security for Agentic AI Skills

The rapid proliferation of agentic AI skill ecosystems -- exemplified by OpenClaw 228,000 GitHub stars and Anthropic Agent Skills 75,600 stars -- has introduced a critical supply chain attack surface. The ClawHavoc campaign January-February 2026 infiltrated over 1,200 malicious skills into the...

Cascaded Vulnerability Attacks in Software Supply Chains

Most of the current software security analysis tools assess vulnerabilities in isolation. However, sophisticated software supply chain security threats often stem from cascaded vulnerability and security weakness chains that span dependent components. Moreover, although the adoption of Software...

EUVD-2022-5360

Malicious code in bioql PyPI...

MAL-2025-46919 Malicious code in proto-dependency-graph-api (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis ecf5eff888c8c4922c11f9e7129ce050bb6432ec890c9b527f97254b0cf92690 The OpenSSF Package Analysis project identified 'proto-dependency-graph-api' @ 99.99.99 rubygems as malicious. It is considered malicious becaus...

Malicious code in proto-dependency-graph-api (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis ecf5eff888c8c4922c11f9e7129ce050bb6432ec890c9b527f97254b0cf92690 The OpenSSF Package Analysis project identified 'proto-dependency-graph-api' @ 99.99.99 rubygems as malicious. It is considered malicious becaus...

Malicious code in dependency-graph-platform-proto (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c8feb4336c26b61a10aec616c9f9f8777fcdd99ab55df96c82ca78bd088530b9 The OpenSSF Package Analysis project identified 'dependency-graph-platform-proto' @ 99.99.99 rubygems as malicious. It is considered malicious...

MAL-2025-46901 Malicious code in dependency-graph-platform-proto (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c8feb4336c26b61a10aec616c9f9f8777fcdd99ab55df96c82ca78bd088530b9 The OpenSSF Package Analysis project identified 'dependency-graph-platform-proto' @ 99.99.99 rubygems as malicious. It is considered malicious...

IPIGuard: a Novel Tool Dependency Graph-Based Defense against Indirect Prompt Injection in LLM Agents

Large language model LLM agents are widely deployed in real-world applications, where they leverage tools to retrieve and manipulate external data for complex tasks. However, when interacting with untrusted data sources e.g., fetching information from public websites, tool responses may contain...

VerilogLAVD: LLM-Aided Rule Generation for Vulnerability Detection in Verilog

Timely detection of hardware vulnerabilities during the early design stage is critical for reducing remediation costs. Existing early detection techniques often require specialized security expertise, limiting their usability. Recent efforts have explored the use of large language models LLMs for...

PyPitfall: Dependency Chaos and Software Supply Chain Vulnerabilities in Python

Python software development heavily relies on third-party packages. Direct and transitive dependencies create a labyrinth of software supply chains. While it is convenient to reuse code, vulnerabilities within these dependency chains can propagate through dependencies, potentially affecting...

Understand your software’s supply chain with GitHub’s dependency graph

What if you could spot the weakest link in your software supply chain before it breaks? With GitHub's dependency graph, you can. By providing a clear, complete view of the external packages your code depends on, both directly and indirectly, it allows you to understand, secure, and manage your...

BSAGIoT: a Bayesian Security Aspect Graph for Internet of Things (IoT)

IoT is a dynamic network of interconnected things that communicate and exchange data, where security is a significant issue. Previous studies have mainly focused on attack classifications and open issues rather than presenting a comprehensive overview on the existing threats and vulnerabilities...

CVE-2019-10349

A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins...

@adpt/testutils (>=0.1.0-next.1 <=0.4.0-next.6), @lavamoat/git-safe-dependencies (>=0.1.1 <=0.2.1) +6 more potentially affected by CVE-2025-4759 via lockfile-lint-api (>=1.0.7 <=5.9.1)

lockfile-lint-api NPM version =1.0.7, =0.1.0-next.1, =0.1.1, =1.0.0, =4.3.1-test1, =1.3.0, =1.0.1, =4.2.2, =4.3.1, =4.7.0 Source cves: CVE-2025-4759 Source advisory: OSV:GHSA-7CFR-5CJF-32P4...