CVE-2026-45692

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different...

MAL-2026-6015 Malicious code in @mastra/deployer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cbd99dea462f2f28099ae0f57cd6c89edd76f08476cd9a6265b1c23defcd2b23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @mastra/sentry (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a90a9fe05b300ccd70f99da266200500c5b05657bf9fbc3bee7d0f1ceeecbce0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vemos-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4dbc534054236541dc79f97538525221204d7e83cea2c28b496c0f6bedf70ee7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-54410

creationtimestamp| type| source ---|---|--- 2026-06-14 19:00:13+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mobhcwfd6s2w 2026-06-14 20:02:59+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mobkt6lb7w2r...

SUSE CVE-2026-46520

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23...

MAL-2026-5672 Malicious code in vqlxjmpr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aeb63fbed71a85092bf04cb120b4d1f19a3edaa74ac1c0cb47ce36f622d0062e Package is published as a generic 'Utility library' under an opaque name vqlxjmpr with no repository or homepage, but its sole exported function...

Malicious code in @iobeya/spa-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f9a974281dcc6456d815e6cb8b755c3084c7ba2d4026264474e459681a9a25cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

curl: Duplicate chunked Transfer-Encoding lets a malicious origin smuggle a response across reused HTTP proxy connections

TL;DR A malicious HTTP origin can send Transfer-Encoding: chunked, chunked, gzip through a reusable HTTP proxy connection to bypass curl's "chunked must be last" guard, queue a forged HTTP response after its own response, and make curl parse that queued data as the response for a later request to...

MAL-2026-5546 Malicious code in @common-stack/generate-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b54a3dc296ec3f6dbded973e24aa9794b498cc1e8305fc3d1f88a4fdff7335df Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-46520

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23...

CVE-2026-46520 ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23...

CVE-2026-46520

ImageMagick contains a vulnerability (CVE-2026-46520) where reading multiple images with differing dimensions can trigger an out-of-bounds heap write in the IPL decoder. Affected releases prior to the patch are 6.9.13-48 and 7.1.2-23; the issue is fixed in those versions. The CVSS metrics indicat...

Malicious code in crypto-promise-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00594a3ae015e55e13c94c904866eae7b86a39b904b2d79469c4b59508c3918f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in martinez-polygon-clipping-simul-dalton (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc17081752344fc57ebe6468de5909582aa81fb2957e605ee81aa46252150a0f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

FreeBSD Security Advisory - FreeBSD-SA-26:35.openssl

FreeBSD Security Advisory - Multiple issues have been reported as part of this advisory with different issues affecting different OpenSSL versions and therefore different FreeBSD versions...

USN-8378-1: libwww-perl vulnerability

It was discovered that libwww-perl incorrectly handled redirects. A remote attacker could possibly use this issue to obtain sensitive information by causing Authorization headers to be sent to a different host...

MAL-2026-5103 Malicious code in @osamdefeirrighs/testhackfrrferrr (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cc1c3467aded71e3ee2e4dbb16bac4d9257a03410188ea98624a09a4263825c9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5111 Malicious code in @redhat-cloud-services/chrome (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

Malicious code in private-next-instrumentation-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6453af923aa8f8a1c7ab67406fc29c333830e59f44ea080bbb5c3c6727e0aef2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...