Embedded Malicious Code

Overview @cap-js/sqlite is a CDS database service for SQLite Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions and their contents are...

Embedded Malicious Code

Overview @cap-js/db-service is a CDS base database service Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions and their contents are activel...

Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single "git push" command. The flaw, tracked as CVE-2026-3854 CVSS score: 8.7, is a...

CVE-2026-44302

creationtimestamp| type| source ---|---|--- 2026-04-28 17:03:58+00:00| published-proof-of-concept| https://github.com/brantburnett/Snappier/security/advisories/GHSA-pggp-6c3x-2xmx...

Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)

Details on CVE-2026-3854: A critical flaw in GitHub’s internal git infrastructure enabling RCE on GitHub.com and GitHub Enterprise Server...

Securing the git push pipeline: Responding to a critical remote code execution vulnerability

On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise...

CVE-2026-44241

creationtimestamp| type| source ---|---|--- 2026-04-28 15:10:06+00:00| published-proof-of-concept| https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj...

CVE-2026-44240

creationtimestamp| type| source ---|---|--- 2026-04-28 03:41:59+00:00| published-proof-of-concept| https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89...

SUSE CVE-2026-41414

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIMRSBOTPRIVATEKEY and GITHUBTOKEN contents:write. No gates prevent exploitation - any...

CVE-2026-44226

creationtimestamp| type| source ---|---|--- 2026-04-27 20:15:32+00:00| published-proof-of-concept| https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg...

CVE-2026-41414

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIMRSBOTPRIVATEKEY and GITHUBTOKEN contents:write. No gates prevent exploitation - any...

CVE-2026-44222

creationtimestamp| type| source ---|---|--- 2026-04-27 18:00:06+00:00| published-proof-of-concept| https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f...

CVE-2026-43881

creationtimestamp| type| source ---|---|--- 2026-04-27 15:02:44+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-6rvw-7p8v-mjfq...

Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack

Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that...

CVE-2026-42045

creationtimestamp| type| source ---|---|--- 2026-04-27 05:24:20+00:00| published-proof-of-concept| https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq...

Linux Distros Unpatched Vulnerability : CVE-2026-41414

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork co...

Malicious code in robase-gui (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ffbeda05758af4fb3c32de434df674102718336d499124f08b158271e4a08f7e During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Arbitrary Command Injection

Overview ssh-mcp is a MCP server exposing SSH control for Linux and Windows systems via Model Context Protocol. Affected versions of this package are vulnerable to Arbitrary Command Injection via the shell.write function. An attacker can execute arbitrary system commands by supplying crafted inpu...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the ExecuteSQL function. An attacker can execute arbitrary SQL commands by supplying crafted input to the application. Remediation A fix was pushed into the master branch but not yet published. References - GitHub Comm...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +21 more potentially affected by unknown CVE via openclaw (>=0.0.1 <=2026.4.2)

openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 - @xmoxmo/bncr =0.0.8 - morpho-vault-manager =0.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-J4C5-89F5-F3PM...