ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2174 more potentially affected by CVE-2026-45673 via io.netty:netty-resolver-dns (>=4.2.0.Final <=4.2.14.Final)

io.netty:netty-resolver-dns MAVEN version =4.2.0.Final, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-45673 Source advisory: OSV:GHSA-XMV7-R254-6Q78...

01os (>=0.0.1 <=0.0.14), 0b1-protocol (>=0.1.0 <=0.1.3) +41628 more potentially affected by CVE-2026-34993 via aiohttp (>=0.13.1 <=3.13.5)

aiohttp PYPI version =0.13.1, =0.0.1, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0, =0.1.0, =0.1.1, =0.1.2, =0.1.3 - 1942pyc =7.0.1 - 1claw-crewai-tools =0.1.0 and more Source cves: CVE-2026-34993 Source advisory: OSV:GHSA-JG22-MG44-37J8...

@agenticmail/api (>=0.6.0 <=0.7.21), @agenticmail/claudecode (>=0.1.0 <=0.1.17) +1 more potentially affected by CVE-2026-50287 via @agenticmail/mcp (>=0.6.2 <=0.7.9)

@agenticmail/mcp NPM version =0.6.2, =0.6.0, =0.1.0, =0.6.0, =0.8.36 Source cves: CVE-2026-50287 Source advisory: OSV:GHSA-63GR-G7JC-V8RG...

be.yildiz-games:module-messaging-activemq (=2.0.0), com.codbex.atlas:codbex-atlas-application (>=1.1.0 <=2.108.0) +138 more potentially affected by CVE-2026-49270 via org.apache.activemq:activemq-broker (>=6.0.0 <=6.2.5)

org.apache.activemq:activemq-broker MAVEN version =6.0.0, =1.1.0, =2.55.0, =1.0.5, =1.1.0, =1.1.0, =1.1.0, =0.2.0, =1.1.0, =1.0.1, =0.2.2, =0.2.3 and more Source cves: CVE-2026-49270 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-17151835...

airalogy-engine (=0.0.2) potentially affected by CVE-2026-46703 via boxlite (=0.8.2)

boxlite PYPI version =0.8.2 is affected by a known vulnerability. The following packages have a transitive dependency on boxlite and may be impacted: - airalogy-engine =0.0.2 Source cves: CVE-2026-46703 Source advisory: OSV:GHSA-F396-4RP4-7V2J...

MAL-2026-4465 Malicious code in @web-3d-tool/sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a1e96a726cf0732113215b2026a7a59fc6bf471f86d34153fea3a0e32b275fb5 @web-3d-tool/sdk is a near-empty package trivial 35-byte index.js, empty author/description metadata whose only effect on install is to pull in a...

@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-component (>=2.21.4 <=2.25.10) +8 more potentially affected by unknown CVE via @antv/l7-maps (>=2.10.0 <=2.25.9)

@antv/l7-maps NPM version =2.10.0, =2.1.13, =2.21.4, =2.1.13, =2.10.0, =2.10.0, =2.1.13, =2.1.13, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7MAPS-16755004...

@antv/f2-site (=5.0.0-alpha.1) potentially affected by unknown CVE via @antv/f2-react (=5.14.0)

@antv/f2-react NPM version =5.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f2-react and may be impacted: - @antv/f2-site =5.0.0-alpha.1 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVF2REACT-16754807...

ai.starlake:spark-redshift_2.13 (>=6.5.0 <=6.5.1), ai.starlake:starlake-api_2.13 (>=1.5.8 <=1.5.15) +87 more potentially affected by CVE-2026-8178 via com.amazon.redshift:redshift-jdbc42 (>=2.0.0.3 <=2.2.1)

com.amazon.redshift:redshift-jdbc42 MAVEN version =2.0.0.3, =6.5.0, =1.5.8, =2025.34.3, =0.293, =0.293, =5.0.0, =5.1.0, =1.3.0, =1.19.1891, =0.1.15-alpha, =0.1.15-alpha, =0.1.15-alpha, =3.2.171, =6.0.0-spark3.3, =6.6.0-spark3.5 and more Source cves: CVE-2026-8178 Source advisory:...

ai.platon.pulsar:pulsar-persist (>=1.9.0 <=1.10.23), be.eliwan:eoddata-client (=1.0) +2590 more potentially affected by CVE-2026-42404 via org.apache.neethi:neethi (>=2.0 <=3.2.1)

org.apache.neethi:neethi MAVEN version =2.0, =1.9.0, =1.1.7, =1.1.9, =1.2.5, =3.00.4, =3.00.3, =4.00.10, =11.4-37, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.1.0.RELEASE and more Source cves: CVE-2026-42404 Source advisory: OSV:GHSA-287C-FXR7-3W6C...

CVE-2026-42035 Axios: Header Injection via Prototype Pollution

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type...

ai.h2o:h2o-admissibleml (>=3.34.0.1 <=3.46.0.1), ai.h2o:h2o-algos (>=0.1.9 <=3.46.0.1) +44 more potentially affected by CVE-2026-3960 via ai.h2o:h2o-core (>=0.1.9 <=3.46.0.1)

ai.h2o:h2o-core MAVEN version =0.1.9, =3.34.0.1, =0.1.9, =0.1.9, =3.12.0.1, =3.10.0.1, =3.14.0.7, =3.16.0.1, =3.14.0.1, =3.24.0.1, =3.30.1.1, =3.26.0.4, =3.10.5.1, =3.24.0.1, =3.30.0.1, =3.34.0.3, =3.46.0.1 and more Source cves: CVE-2026-3960 Source advisory: OSV:GHSA-QMCV-HH7C-3M56...

011xwztpjn (=1.0.0), 02y9dg4qm3 (=1.0.0) +11522 more potentially affected by CVE-2026-41240 via dompurify (>=0.6.6 <=3.3.3)

dompurify NPM version =0.6.6, =3.3.3 is affected by a known vulnerability. The following packages have a transitive dependency on dompurify and may be impacted: - 011xwztpjn =1.0.0 - 02y9dg4qm3 =1.0.0 - 04tw75kmd9 =1.0.0 - 0650teqqly =1.0.0 - 097oi25ils =1.0.0 - 0a0fpniotn =1.0.0 - 0c7j76u46q...

Malicious code in moonbit-locale-compat (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d42bb32adb1fb5f388368b9e4ab382bfbc8cd7f62dab4c70a8563a448ce9c2af Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and ...

ai.tock:bot-test (=23.9.2), ai.tock:bot-test-base (=23.9.2) +498 more potentially affected by CVE-2026-40458 via org.pac4j:pac4j-core (>=6.0.0-RC1 <=6.4.0)

org.pac4j:pac4j-core MAVEN version =6.0.0-RC1, =6.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.pac4j:pac4j-core and may be impacted: - ai.tock:bot-test =23.9.2 - ai.tock:bot-test-base =23.9.2 - ai.tock:bot-toolkit =23.9.2 -...

@amedia/brick-mcp (>=0.0.0-vBRAND-20260313141110 <=1.0.3), @area15/ticket-component (=0.1.0) +217 more potentially affected by CVE-2025-32442 +1 more via fastify (>=5.3.2 <=5.8.4)

fastify NPM version =5.3.2, =0.0.0-vBRAND-20260313141110, =2.0.1, =1.1.1, =0.6.2, =0.1.1, =0.1.1, =0.6.0, =0.1.1, =0.0.35, =0.0.82, =0.0.1, =0.0.6, =0.1.68, =0.1.0, =0.8.2 and more Source cves: CVE-2025-32442, CVE-2026-33806 Source advisory: OSV:GHSA-247C-9743-5963...

cn.angis.warm-flow-beetlsql:warm-flow-beetlsql-sb-starter (>=1.6.9.1 <=1.8.4.0), cn.angis.warm-flow-beetlsql:warm-flow-beetlsql-sb-test (>=1.6.9.1 <=1.7.2.3) +36 more potentially affected by CVE-2026-6125 via org.dromara.warm:warm-flow-plugin-modes-sb (>=1.3.4 <=1.8.5)

org.dromara.warm:warm-flow-plugin-modes-sb MAVEN version =1.3.4, =1.6.9.1, =1.6.9.1, =1.6.8.1, =4.0.0, =2025.13.0, =2025.3.2, =1.6.6, =1.8.4 - org.dromara.warm-flow-mybatis-flex:warm-flow-mybatis-flex-sb-test =1.6.6 and more Source cves: CVE-2026-6125 Source advisory:...

ai.catboost:catboost-spark_4.0_2.13 (=1.2.10), ai.catboost:catboost-spark_4.1_2.13 (=1.2.10) +7252 more potentially affected by CVE-2026-34478 via org.apache.logging.log4j:log4j-core (>=2.21.0 <=2.25.3)

org.apache.logging.log4j:log4j-core MAVEN version =2.21.0, =0.27.0, =0.26.0, =3.10.0.5, =3.0.0, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.1, =2.12.3 and more Source cves: CVE-2026-34478 Source advisory: OSV:GHSA-445C-VH5M-36RJ...

aac (>=0.4.24 <=0.5.21), aac-gen-gherkin (>=0.1.0 <=0.1.4) +1599 more potentially affected by CVE-2026-39892 via cryptography (>=45.0.0 <=46.0.6)

cryptography PYPI version =45.0.0, =0.4.24, =0.1.0, =0.1.3, =0.0.1, =0.1.5, =0.1.1, =2.4.119, =0.10.2.4rc3, =3.2.1, =0.2.0, =0.3.4, =0.0.2, =0.0.6, =0.0.21 and more Source cves: CVE-2026-39892 Source advisory: OSV:GHSA-P423-J2CM-9VMQ...

openwebui-token-tracking (=0.1.7) potentially affected by CVE-2026-28786 via open-webui (=0.6.0)

open-webui PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - openwebui-token-tracking =0.1.7 Source cves: CVE-2026-28786 Source advisory: SNYK:PYTHON-OPENWEBUI-15855399...