MAL-2026-3768 Malicious code in npmjs_web3-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 263a0126b20b1d58bc0528a4b7bea19027b94383e00b5b9f03b712d96be89ca7 The package's postinstall lifecycle hook downloads a script from a personal GitHub Gist...

Malicious code in natazx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0514a0df660dfc4e7380f68e8533fa325ccc246ba21855975f73d3af78cd9f0 On import natazx, the package's top-level code executes several installer-hostile actions without consent: 1 it unconditionally overwrites the host's...

GHSA-7RX4-C5VX-G8W3

creationtimestamp| type| source ---|---|--- 2026-05-14 18:40:28+00:00| seen| https://gist.github.com/alon710/260608e1e5e80ae5e3b0acd83fc48ee1...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the chromium/convert/url endpoint due to insufficient validation of redirect destinations against the deny-list. An attacker can access internal network resources and sensitive endpoints by supplying ...

CVE-2026-46481

creationtimestamp| type| source ---|---|--- 2026-05-14 15:37:25+00:00| published-proof-of-concept| https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-9vmh-whc4-7phg 2026-06-08 19:49:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnshblm7jb2r...

CVE-2026-46477

creationtimestamp| type| source ---|---|--- 2026-05-14 14:18:06+00:00| published-proof-of-concept| https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5h9v-837x-m97r 2026-06-08 17:24:21+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mns75tvowx2z...

CVE-2026-46476

creationtimestamp| type| source ---|---|--- 2026-05-14 14:17:36+00:00| published-proof-of-concept| https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-728h-4mwj-f2p4 2026-06-08 17:11:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mns6gihbi32r...

GHSA-Q58J-G3F4-H26H CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

Summary The GitHub Actions workflow .github/workflows/static.yml uses the pullrequesttarget trigger but dangerously checks out the unverified code from the pull request head ref: $ github.event.pullrequest.head.ref . Subsequently, it executes a script bin/console from this untrusted checkout. Thi...

CVE-2026-45799

creationtimestamp| type| source ---|---|--- 2026-05-14 11:34:06+00:00| published-proof-of-concept| https://github.com/square/wire/security/advisories/GHSA-7xpr-hc2w-34m9...

CVE-2026-46430

creationtimestamp| type| source ---|---|--- 2026-05-14 09:10:41+00:00| published-proof-of-concept| https://github.com/xyproto/algernon/security/advisories/GHSA-gj84-924c-48fx...

CVE-2026-46426

creationtimestamp| type| source ---|---|--- 2026-05-14 08:35:54+00:00| published-proof-of-concept| https://github.com/Budibase/budibase/security/advisories/GHSA-82rc-gxrg-v4gf 2026-05-27 19:19:23+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmu7ynnjzd2q...

CVE-2026-45709

creationtimestamp| type| source ---|---|--- 2026-05-14 04:53:50+00:00| published-proof-of-concept| https://github.com/axllent/mailpit/security/advisories/GHSA-j3fj-qppj-fmmc...

CVE-2026-45793

Github Actions issued GITHUBTOKEN disclosure in GitHub Actions logs...

CVE-2026-45139

creationtimestamp| type| source ---|---|--- 2026-05-14 01:57:46+00:00| published-proof-of-concept| https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-245j-xjvr-xvm5...

GHSA-V9JR-RG53-9PGP vulnerabilities

Vulnerabilities for packages: opensearch-dashboards...

GHSA-66FF-XGX4-VCHM vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, renovate, pulumi, vitess...

GHSA-V974-2CJF-22Q5 vulnerabilities

Vulnerabilities for packages: linux-aws, linux-vmware...

PT-2026-41129

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

CVE-2026-46378

creationtimestamp| type| source ---|---|--- 2026-05-13 20:50:17+00:00| published-proof-of-concept| https://github.com/TomWright/dasel/security/advisories/GHSA-m6xr-fvfg-5g64...

CVE-2026-46377

creationtimestamp| type| source ---|---|--- 2026-05-13 20:39:40+00:00| published-proof-of-concept| https://github.com/TomWright/dasel/security/advisories/GHSA-m5j3-4634-c2vq...