a2a-lite (>=0.1.0 <=0.2.2), adb-connect-qr (>=0.1.0 <=0.1.3) +582 more potentially affected by CVE-2026-47184 via zeroconf (>=0.102.0 <=0.149.3)

zeroconf PYPI version =0.102.0, =0.1.0, =0.1.0, =0.1.0, =1.0.2, =1.0.1, =0.0.1, =1.4.8, =2.6.28, =0.7.1, =0.0.1, =1.7.0, =0.2.38, =3.2.20 and more Source cves: CVE-2026-47184 Source advisory: SNYK:PYTHON-ZEROCONF-17111094...

a2a-lite (>=0.1.0 <=0.2.2), adb-connect-qr (>=0.1.0 <=0.1.3) +556 more potentially affected by CVE-2026-47180 via zeroconf (>=0.140.1 <=0.149.3)

zeroconf PYPI version =0.140.1, =0.1.0, =0.1.0, =0.1.0, =1.0.2, =1.0.1, =0.0.1, =1.4.8, =2.6.28, =0.7.1, =0.0.1, =1.7.0, =0.2.38, =3.2.20 and more Source cves: CVE-2026-47180 Source advisory: OSV:GHSA-9PGC-3CCV-5297...

edgetest (>=2026.4.0 <=2026.5.0), r7-surcom-sdk (>=0.12.15 <=0.14.16) +1 more potentially affected by unknown CVE via uv (>=0.10.0 <=0.10.7)

uv PYPI version =0.10.0, =2026.4.0, =0.12.15, =3.10.18, =3.10.21 Source cves: unknown CVE Source advisory: OSV:GHSA-4GG8-GXPX-9RPH...

@openinc/parse-server-opendash (>=3.31.25 <=4.0.34) potentially affected by CVE-2026-47248 via parse-server (>=9.6.0-alpha.37 <=9.9.0)

parse-server NPM version =9.6.0-alpha.37, =3.31.25, =4.0.34 Source cves: CVE-2026-47248 Source advisory: OSV:GHSA-8CPH-RGR4-G5VJ...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47139 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47210 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +21 more potentially affected by CVE-2026-47210 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.72.4 and more Source cves: CVE-2026-47210 Source advisory: SNYK:JS-VM2-17111321...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47137 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47209 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47131 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

@geode/opengeodeweb-front (>=9.13.1 <=10.0.2-rc.4), nuxt (>=3.20.0 <=3.21.5) potentially affected by CVE-2026-47200 via @nuxt/nitro-server (>=3.20.0 <=3.21.5)

@nuxt/nitro-server NPM version =3.20.0, =9.13.1, =3.20.0, =3.21.5 Source cves: CVE-2026-47200 Source advisory: OSV:GHSA-HG3F-28RG-4JXJ...

@andor83/mother-may-i (>=1.0.1 <=1.0.10), @base_/cli (>=1.0.6 <=1.0.29-beta.26) +56 more potentially affected by CVE-2026-47200 via nuxt (>=3.11.2 <=3.20.1)

nuxt NPM version =3.11.2, =1.0.1, =1.0.6, =1.0.6, =0.9.1, =1.2.1, =1.2.0, =1.1.0, =1.0.0-29304822.f444f03, =8.0.0, =0.3.14, =9.8.3, =1.12.0-rc.5, =1.0.1-alpha.0, =1.0.1-alpha.33 and more Source cves: CVE-2026-47200 Source advisory: SNYK:JS-NUXT-17111072...

@geode/opengeodeweb-front (>=9.13.1 <=10.0.2-rc.4), nuxt (>=3.20.0 <=3.21.5) potentially affected by CVE-2026-47200 via @nuxt/nitro-server (>=3.20.0 <=3.21.5)

@nuxt/nitro-server NPM version =3.20.0, =9.13.1, =3.20.0, =3.21.5 Source cves: CVE-2026-47200 Source advisory: SNYK:JS-NUXTNITROSERVER-17111073...

com.github.mengweijin:logging-preview-spring-boot-starter (>=1.0.0 <=1.0.1), com.github.mengweijin:quickboot-web (>=1.0.1 <=1.0.42) +23 more potentially affected by CVE-2026-44495 via org.webjars.npm:axios (>=0.19.0 <=0.5.4)

org.webjars.npm:axios MAVEN version =0.19.0, =1.0.0, =1.0.1, =2.0.0, =1.0.4, =1.0.14 - org.webjars.npm:peacetrue-js =1.0.5 and more Source cves: CVE-2026-44495 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-17111061...

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full...

dicom-transfer-syntax-registry (>=0.8.2 <=0.9.1), dset (>=0.1.0 <=0.1.2) +10 more potentially affected by unknown CVE via jxl-grid (>=0.1.1 <=0.5.3)

jxl-grid CARGO version =0.1.1, =0.8.2, =0.1.0, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.4.0, =0.5.0-rc0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0151...

Malicious code in @t-in-one/add_application_tid (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

PT-2026-45060

Summary Type: Insecure Direct Object Reference. The dependency endpoints POST/GET /workspaces/workspace id/issues/issue id/dependencies and DELETE .../dependencies/dep id gate access on require workspace memberworkspace id only, then dispatch to DependencyService calls that take URL/body-supplied...

Malicious code in @t-in-one/prefill_credit_data_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

Malicious code in @t-in-one/only_difference_payload (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...