EUVD-2025-27479

Malicious code in bioql PyPI...

EUVD-2021-28255

Malicious code in bioql PyPI...

CVE-2025-59038

Prebid.js is a free and open source library for publishers to quickly implement header bidding. NPM users of prebid 10.9.2 may have been briefly compromised by a malware campaign. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Version 10.10.0 fix...

CVE-2025-59037 DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...

CVE-2025-58435 Open OnDemand didn't rotate password for VNC batch_connect

Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. The likelihood of exploitation is low as a user would need to share their link to an active desktop...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper enforcement of authorization policies in the Check and ListObject processes. Note: The users are affected under the following preconditions: - Check API or ListObjects are called with an authorizatio...

CVE-2025-47271

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects...

CVE-2025-47271

CVE-2025-47271 concerns the OZI-project/ozi-publish GitHub Action. Affected versions are 1.13.2 through 1.13.5, where untrusted data flows into PR creation logic could allow a malicious actor to craft a branch name that injects arbitrary code. This vulnerability is patched in 1.13.6; a workaround...

`root` appended to group listings

Affected versions append root to group listings, unless the correct listing has exactly 1024 groups. This affects both: - The supplementary groups of a user - The group access list of the current process If the caller uses this information for access control, this may lead to privilege escalation...

Code injection

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid should return owner true for rootCreds. In the affected version, poli...