MAL-2026-5133 Malicious code in @redhat-cloud-services/compliance-client (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

PT-2026-23086

Name of the Vulnerable Software and Affected Versions CKEditor 5 versions prior to 47.6.0 Description CKEditor 5, a JavaScript rich-text editor, contains a cross-site scripting XSS issue within the General HTML Support feature. This issue arises from the insertion of specially crafted markup,...

CVE-2025-62794

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" ap...

CVE-2025-62794 GitHub Workflow Updater stored the optional Github token in plaintext

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" ap...

CVE-2025-62794 GitHub Workflow Updater stored the optional Github token in plaintext

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" ap...

CVE-2025-62794

CVE-2025-62794 affects the GitHub Workflow Updater VS Code extension. Before version 0.0.7, the extension stored provided GitHub tokens in plaintext JSON in editor configuration on disk instead of using securestorage. This allowed a local attacker with read access to the user’s home directory to ...

PT-2025-35839

Name of the Vulnerable Software and Affected Versions: ckeditor5 versions 44.2.0 through 45.2.1 ckeditor5 versions 46.0.0 through 46.0.2 ckeditor5-clipboard versions 44.2.0 through 45.2.1 ckeditor5-clipboard versions 46.0.0 through 46.0.2 Description: CKEditor 5 is a modern JavaScript rich-text...

com.liferay:com.liferay.blogs.editor.config (>=1.0.0 <=2.0.0), com.liferay:com.liferay.blogs.editor.configuration (>=1.0.0 <=1.0.9) +2 more potentially affected by CVE-2025-4576 via com.liferay:com.liferay.blogs.web (>=1.0.0 <=2.0.0)

com.liferay:com.liferay.blogs.web MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.1 Source cves: CVE-2025-4576 Source advisory: OSV:GHSA-6QCG-28JH-HM7R...