MAL-2025-47694 Malicious code in ng-dev (npm)

--- -= Per source details. Do not edit below this line.=-...

Moderate: Red Hat Security Advisory: Red Hat Developer Hub 1.6.5 release.

Red Hat Developer Hub 1.6.5 has been released. Red Hat Developer Hub RHDH is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters AKS, EKS, GKE. The core features of RHDH include a single...

GO-2025-3967 esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header in github.com/esm-dev/esm.sh

esm.sh has arbitrary file write via path traversal in X-Zone-Id header in github.com/esm-dev/esm.sh...

CVE-2025-27037

Memory corruption while processing configdev IOCTL when camera kernel driver drops its reference to CPU buffers...

CVE-2025-27037 Use After Free in Camera Driver

Memory corruption while processing configdev IOCTL when camera kernel driver drops its reference to CPU buffers...

AZL-72338 CVE-2024-58241 affecting package kernel 6.6.126.1-1

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: Disable works on hciunregisterdev This make use of disablework on hciunregisterdev since the hcidev is about to be freed new submissions are not disarable...

AZL-72334 CVE-2024-58241 affecting package kernel 5.15.200.1-1

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: Disable works on hciunregisterdev This make use of disablework on hciunregisterdev since the hcidev is about to be freed new submissions are not disarable...

CVE-2024-58241

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: Disable works on hciunregisterdev This make use of disablework on hciunregisterdev since the hcidev is about to be freed new submissions are not disarable...

CVE-2024-58241

CVE-2024-58241 is a Linux kernel vulnerability affecting the Bluetooth stack. The issue arises in Bluetooth: hci_core where, on hci_unregister_dev, submissions using disable_work_* are not disablable because the associated hci_dev is about to be freed. The provided connected documents confirm the...

Security update for kernel-livepatch-MICRO-6-0_Update_9

This update for kernel-livepatch-MICRO-6-0Update9 fixes the following issues: CVE-2025-38498: dochangetype: refuse to operate on unmounted/not ours mounts bsc1247499 CVE-2025-38555: usb: gadget : fix use-after-free in compositedevcleanup bsc1248298 Patch Instructions: To install this SUSE update...

CVE-2025-39888 fuse: Block access to folio overlimit

In the Linux kernel, the following vulnerability has been resolved: fuse: Block access to folio overlimit syz reported a slab-out-of-bounds Write in fusedevdowrite. When the number of bytes to be retrieved is truncated to the upper limit by fc-maxpages and there is an offset, the oob is triggered...

CVE-2025-39888 fuse: Block access to folio overlimit

In the Linux kernel, the following vulnerability has been resolved: fuse: Block access to folio overlimit syz reported a slab-out-of-bounds Write in fusedevdowrite. When the number of bytes to be retrieved is truncated to the upper limit by fc-maxpages and there is an offset, the oob is triggered...

CVE-2025-39888

CVE-2025-39888 concerns a Linux kernel issue in fuse: Block access to folio overlimit. A slab-out-of-bounds write occurred in fuse_dev_do_write when the OOB condition could trigger if bytes to retrieve are truncated to fc->max_pages and an offset is present. The root cause was not fully detail...

GHSA-GWRF-JF3H-W649 vulnerabilities

Vulnerabilities for packages: gostatsd, pvc-autoresizer, php-fpmexporter, vexctl, gitlab-runner, ctop, gitsign, secrets-store-csi-driver-provider-aws, shfmt, grafana-operator, kube-vip, docker-credential-ecr-login, bank-vaults, mongodb-kubernetes-operator, container-object-storage-interface,...

CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-59427

The Cloudflare Vite plugin is vulnerable when used in its default configuration, exposing all files on the local dev server (including root files like .env and .dev.vars) via the Workers runtime integration. Affected: Cloudflare Vite plugin within the Cloudflare Workers SDK. Root cause: default d...

CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Mitigation Mitigation for this issue is either not available o...

DEBIAN-CVE-2023-53376

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Use number of bits to manage bitmap sizes To allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using byte as unit. However, bitmap helper functions assume that bitmaps are allocated using unsigned long...

CVE-2023-53376 scsi: mpi3mr: Use number of bits to manage bitmap sizes

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Use number of bits to manage bitmap sizes To allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using byte as unit. However, bitmap helper functions assume that bitmaps are allocated using unsigned long...