napari-ufish (=0.0.1) potentially affected by unknown CVE via ufish (=0.1.1)

ufish PYPI version =0.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on ufish and may be impacted: - napari-ufish =0.0.1 Source cves: unknown CVE Source advisory: SNYK:PYTHON-UFISH-17220150...

pantheon-cli (>=0.1.1 <=0.1.4rc1), uprobe (>=0.1.1 <=0.1.2) potentially affected by unknown CVE via pantheon-agents (=0.6.0)

pantheon-agents PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on pantheon-agents and may be impacted: - pantheon-cli =0.1.1, =0.1.1, =0.1.2 Source cves: unknown CVE Source advisory: SNYK:PYTHON-PANTHEONAGENTS-17220146...

Untrusted Search Path

Overview Affected versions of this package are vulnerable to Untrusted Search Path in the GlobalAuroraPgDatabaseDialect, which is included in the public schema. A low-privileged user can elevate privileges to rdssuperuser by creating a malicious function that executes when another user connects t...

bsign-ui (>=0.0.3 <=0.0.5), gc-nimbus-ui (>=3.0.0 <=3.0.12) potentially affected by CVE-2026-47759 via tinymce (>=8.0.2 <=8.2.2)

tinymce NPM version =8.0.2, =0.0.3, =3.0.0, =3.0.12 Source cves: CVE-2026-47759 Source advisory: OSV:GHSA-Q742-QVGC-GC2F...

Malicious Package

Overview cookie-parser-legacy is a malicious package. This package contains malicious code that uses another malicious package moustick Snyk Advisory as a dependency to fetch a remote payload from attacker-controlled URL https://www.jsonkeeper.com/b/MYUKZ. The payload is designed to extract...

CVE-2026-43965

Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::readfromdisc are passed without validation to paths.buildpackagespackage, whi...

CVE-2026-32148

Insufficient Verification of Data Authenticity vulnerability in hexpm hex Hex.RemoteConverger module allows dependency integrity bypass via unverified lockfile checksums. Hex stores checksums for dependencies in the mix.lock file to ensure reproducible and integrity-checked builds. However,...

CVE-2026-45539

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...

CVE-2026-2740

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency...

CVE-2026-44641

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

ait-dsn (=2.0.0), ait-gui (>=2.4.0 <=2.4.1) potentially affected by CVE-2026-47731 via ait-core (>=2.3.5 <=2.5.2)

ait-core PYPI version =2.3.5, =2.4.0, =2.4.1 Source cves: CVE-2026-47731 Source advisory: OSV:GHSA-P462-PRXW-MJX4...

vantage6-algorithm-store (>=4.3.0 <=4.15.1rc1), vantage6-node (>=0.0.0 <=4.15.1rc1) +1 more potentially affected by unknown CVE via vantage6 (>=0.0.0 <=4.9.1)

vantage6 PYPI version =0.0.0, =4.3.0, =0.0.0, =0.0.0, =4.15.1rc1 Source cves: unknown CVE Source advisory: OSV:GHSA-FGMC-2HQJ-86V4...

CVE-2026-48111

7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parserCPP/7zip/Archive/UefiHandler.cpp. The function validates an attacker-controlled opco...

vantage6-algorithm-store (>=4.3.0 <=4.15.1rc1), vantage6-node (>=0.0.0 <=4.15.1rc1) +1 more potentially affected by CVE-2024-27928 via vantage6 (>=0.0.0 <=4.9.1)

vantage6 PYPI version =0.0.0, =4.3.0, =0.0.0, =0.0.0, =4.15.1rc1 Source cves: CVE-2024-27928 Source advisory: OSV:GHSA-4C5C-2VC3-X5W2...

vantage6-algorithm-store (>=4.3.0 <=4.15.1rc1), vantage6-node (>=0.0.0 <=4.15.1rc1) +1 more potentially affected by CVE-2024-24769 via vantage6 (>=0.0.0 <=4.9.1)

vantage6 PYPI version =0.0.0, =4.3.0, =0.0.0, =0.0.0, =4.15.1rc1 Source cves: CVE-2024-24769 Source advisory: OSV:GHSA-5549-C5Q7-FJ65...

IMAPServer (=0.2.0), IMAPServer-cli (=0.1.0) +369 more potentially affected by unknown CVE via diesel (>=0.10.1 <=2.2.12)

diesel CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.4.0, =0.1.4, =0.1.11, =0.1.0, =0.5.0, =0.1.0, =0.1.2 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0172...

UBUNTU-CVE-2026-11332

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...

CVE-2026-11332

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...

CVE-2026-11332 Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...

CVE-2026-11332 Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...