Fedora 44 : rust-sequoia-cert-store / rust-sequoia-chameleon-gnupg / etc (2026-5c5f4f40a4)

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-5c5f4f40a4 advisory. - Update the sequoia-wot crate to version 0.15.2. - Update the sequoia-keystore crate to version 0.7.3. This includes a rebuild of all dependent applications...

5gasp-cli (>=0.1.0 <=0.4.0), agentos (>=0.1.0 <=0.2.0) +617 more potentially affected by CVE-2026-42305 via dulwich (>=0.16.3 <=1.0.0)

dulwich PYPI version =0.16.3, =0.1.0, =0.1.0, =0.5.1, =21.7.1, =0.0.1, =0.1.0, =1.3.4, =2023.2.21, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.5.1 and more Source cves: CVE-2026-42305 Source advisory: OSV:GHSA-897W-FCG9-F6XJ...

@antv/f-charts (=0.0.0), @antv/f2 (>=5.0.27 <=5.14.0) +7 more potentially affected by unknown CVE via @antv/f-lottie (=1.10.0)

@antv/f-lottie NPM version =1.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f-lottie and may be impacted: - @antv/f-charts =0.0.0 - @antv/f2 =5.0.27, =5.0.0-alpha.1, =5.0.0-alpha.1, =5.0.1, =0.1.6, =0.9.5 Source cves: unknown CVE Source...

@antv/g-canvas (>=2.0.0 <=2.0.52), @antv/g-canvaskit (>=1.0.0 <=1.0.51) +9 more potentially affected by unknown CVE via @antv/g-plugin-html-renderer (>=2.0.0 <=2.3.1)

@antv/g-plugin-html-renderer NPM version =2.0.0, =2.0.0, =1.0.0, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.56 - @antv/g6 =5.0.46 - @antv/g6-extension-3d =0.1.20 - @antv/s2 =2.4.12-alpha.1 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGPLUGINHTMLRENDERER-16755116...

aratinga (=0.1.0a0.dev3), coop (>=7.1.0 <=7.2.1) +7 more potentially affected by CVE-2026-44197 via wagtail (>=7.1.0 <=7.2.3)

wagtail PYPI version =7.1.0, =7.1.0, =1.1.1, =2.0.0, =0.0.1, =7.1.0a1, =7.2.0b0 Source cves: CVE-2026-44197 Source advisory: SNYK:PYTHON-WAGTAIL-16624541...

@aurora-nexus/aurora-nexus-design-system (=0.2.0), @fireproof/core-protocols-dashboard (>=0.24.3-dev-20261224 <=0.24.12) +6 more potentially affected by CVE-2026-42349 via @clerk/shared (>=3.36.0 <=3.45.1)

@clerk/shared NPM version =3.36.0, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.0.14, =0.18.25-dev, =0.24.3-dev-20261224, =0.18.25-dev, =0.18.28-dev Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKSHARED-16347746...

a-mailx (=0.1.0), a-move-files-by-excel (>=0.1.0 <=0.1.1) +4209 more potentially affected by CVE-2026-41066 via lxml (>=3.2.3 <=6.0.4)

lxml PYPI version =3.2.3, =0.1.0, =0.1.0, =0.1.0, =0.9.1, =1.0.2, =0.1.0, =0.3.0, =0.3.5, =0.3.0, =0.3.0, =0.2.5, =0.1.0, =0.0.2, =1.13.4 and more Source cves: CVE-2026-41066 Source advisory: OSV:GHSA-VFMQ-68HX-4JFW...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +16 more potentially affected by CVE-2026-43535 via openclaw (>=2026.3.22 <=2026.4.12)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.0.11 and more Source cves: CVE-2026-43535 Source advisory: SNYK:JS-OPENCLAW-16109728...

companies.sh (>=2026.324.0-canary.0 <=2026.325.0-canary.3), corporateai (=2026.328.0-canary.0) +3 more potentially affected by unknown CVE via @paperclipai/server (>=2026.318.0-canary.0 <=2026.416.0-canary.1)

@paperclipai/server NPM version =2026.318.0-canary.0, =2026.324.0-canary.0, =2026.3.17-canary.3, =0.6.5, =0.6.6 Source cves: unknown CVE Source advisory: SNYK:JS-PAPERCLIPAISERVER-16420265...

RUSTSEC-2026-0101 `safe-agent-rs` was removed from crates.io for being affiliated with malicious code

While safe-agent-rs did not directly contain malicious code, it was owned by the same user as pretty-changelog-logger and microsoftsystem64. safe-agent-rs also appeared to be imitating a different websocket library. We decided to remove it out of an abundance of caution. This crate had 2 versions...

RUSTSEC-2026-0100 `pretty-changelog-logger` was removed from crates.io for malicious code

pretty-changelog-logger contains a build script build.rs that acts as a loader/dropper for malicious payloads. The malicious crate had 3 versions published on 2026-04-08 that had a total of 2239 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecti...

@0xwork/connect (>=0.1.0 <=0.1.7), @agentholdings/agent-passport (>=0.1.0 <=0.1.5) +23 more potentially affected by CVE-2026-41911 via openclaw (>=0.0.1 <=2026.4.5)

openclaw NPM version =0.0.1, =0.1.0, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =0.0.0, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 and more Source cves: CVE-2026-41911 Source advisory: OSV:GHSA-5FC7-F62M-8983...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +11 more potentially affected by unknown CVE via openclaw (>=2026.3.22 <=2026.3.24)

openclaw NPM version =2026.3.22, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: SNYK:JS-OPENCLAW-15928854...

org.apache.activemq:activemq-osgi (>=6.0.0 <=6.2.1), org.apache.activemq:activemq-unit-tests (>=6.0.0 <=6.2.1) +4 more potentially affected by CVE-2026-33227 via org.apache.activemq:activemq-stomp (>=6.0.0 <=6.2.1)

org.apache.activemq:activemq-stomp MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.1 - org.fcrepo:fcrepo-jms =7.0.0-RC1 - org.fcrepo:fcrepo-webapp =7.0.0-RC1 Source cves: CVE-2026-33227 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15930951...

corradin-opioid-project (=0.1.0), eensight (>=1.0.0 <=1.0.2) +48 more potentially affected by CVE-2026-35167 via kedro (>=0.15.9 <=1.0.0)

kedro PYPI version =0.15.9, =1.0.0, =0.1.0, =0.1.0, =0.1.9, =0.1.0, =0.0.4, =0.1.0, =0.2.1, =0.1.0, =0.1.0, =0.3.0, =0.5.1 and more Source cves: CVE-2026-35167 Source advisory: OSV:GHSA-6326-W46W-PPJW...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +13 more potentially affected by CVE-2026-41397 via openclaw (>=2026.3.22 <=2026.3.28)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-41397 Source advisory: SNYK:JS-OPENCLAW-15894828...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-28563 via apache-airflow-core (>=3.0.0 <=3.1.8)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-28563 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-15674492...

`chrono_anchor` was removed from crates.io due to malicious code

The chronoanchor crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. The malicious crate had 1 version published on 2026-03-04 approximately 6 days before removal and had no evidence of actual downloads. There were no crates...

GHSA-MH23-RW7F-V5PQ `time-sync` was removed from crates.io due to malicious code

The time-sync crate attempted to exfiltrate .env files to a server that was in turn impersonating the legitimate timeapi.io service. This the same attack that we've seen three times in the last few days. The malicious crate had 1 version published on 2026-03-04 approximately 50 minutes before...

`time_calibrator` was removed from crates.io due to malicious code

It was reported timecalibrator contained malicious code, that would try to upload .env files to a server. The malicious crate had only 1 version published at 2026-02-28 and no evidence of actual usage. The crate was removed from crates.io and the user account was locked. There were no crates...