Malicious Package

Overview @service-suppliers/fetch-suppliers-watcher-saga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

CVE-2026-9818

CVE-2026-9818 is rejected/not used; this entry does not represent an active vulnerability.

CVE-2026-46177

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

UBUNTU-CVE-2026-46177

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

CVE-2026-46177

The CVE-2026-46177 issue affects the Linux kernel IPMI driver. It describes a vulnerability where the driver could continuously fetch events and receive messages from the BMC (or become stuck) due to the BMC not signaling completion or the attn bit getting stuck. The documented fix limits event/m...

CVE-2026-46177

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

EUVD-2026-32804

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

CVE-2026-46177 ipmi: Add limits to event and receive message requests

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

SUSE CVE-2026-45897

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftcounter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the...

SUSE CVE-2026-46042

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leaks in weightedinterleaveautostore weightedinterleaveautostore fetches oldwistate inside the if !input block only. This causes two memory leaks: 1. When a user writes "false" and the current mode is...

PT-2026-44300

In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a...

MAL-2026-4995 Malicious code in @cloudplatform-single-spa/vcenter-virtual-machines (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal

Summary The compliance-trestle library's remote fetching cache mechanism HTTPSFetcher and SFTPFetcher constructs the local cache file path from the URL path component without sanitizing path traversal sequences ../. When a remote OSCAL profile references a URL with traversal in its path, the HTTP...

CVE-2026-42335

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

CVE-2026-48153

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no...

EUVD-2026-32604

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetchfileUrl directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated...

CVE-2026-48146 Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound...

CVE-2026-48146

Budibase - CVE-2026-48146: Before 3.39.0, the OAuth2 token fetch in packages/server/src/sdk/workspace/oauth2/utils.ts calls raw fetch(config.url) without SSRF protection, while a safe wrapper fetchWithBlacklist() exists and is used for other outbound calls. This allows a user with BUILDER rights ...

CVE-2026-48146 Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound...

EUVD-2026-32593

Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound...